AES GCM and GMAC authenticated encryption algorithms provide stronger authentication assurance than a (non-cryptographic) checksum or error detecting code. In particular, they can detect both a) accidental modifications of the data, and b) intentional, unauthorized modifications.
Galois Counter Mode, GCM Encryption, is a recommended algorithm for authenticated encryption with associated data. GCM is constructed from an approved symmetric key block cipher with a block size of 128 bits, such as the Advanced Encryption Standard (AES) algorithm. Thus, GCM is a mode of operation of the AES algorithm. GCM provides assurance of the confidentiality of data using a variation of the Counter mode of operation for encryption. GCM provides assurance of the authenticity of the confidential data (up to about 64 gigabytes per invocation) using a universal hash function that is defined over a binary Galois field. GCM can also provide authentication assurance for additional data (of practically unlimited length per invocation) that is not encrypted. If the GCM input is restricted to data that is not to be encrypted, the resulting specialization of GCM, called GMAC, is simply an authentication mode on the input data.
The two functions of GCM are called authenticated encryption and authenticated decryption. Each of these functions is relatively efficient and parallelizable. Consequently, high-throughput implementations are possible in both hardware and software. GCM has several other useful characteristics, including the following:
- The GCM functions are “online” in the sense that the lengths of the confidential data and the additional, non-confidential data are not required in advance. Instead, the lengths can be calculated as the data arrives and is processed.
- The GCM functions require only the forward direction of the underlying block cipher.
- The authenticity of the protected data can be verified independently from the recovery of the confidential data from its encrypted form.
- If the unique initialization string is predictable, and the length of the confidential data is known, then the block cipher invocations within the GCM encryption mechanism can be precomputed.
- If some or all of the additional, non-confidential data is fixed, then the corresponding elements of the GCM authentication mechanism can be precomputed.
VOCAL offers a wide range of cryptographic solutions in both hardware and software form factors.
Related Specifications
- SRTP – RFC 3711 The Secure Real-time Transport Protocol (SRTP)
- RFC 7714 – AES-GCM Authenticated Encryption in the Secure Real-time Transport Protocol (SRTP)
- RFC 5116 An Interface and Algorithms for Authenticated Encryption
- RTP – RFC 3550 RTP: A Transport Protocol for Real-Time Applications
- RTCP- RFC 3550 RTP: A Transport Protocol for Real-Time Applications