Overview
AES-GCM (Advanced Encryption Standard - Galois/Counter Mode) is a symmetric encryption mode that provides both confidentiality and authenticity for data. It is a widely adopted standard for secure data transmission in modern web and mobile applications, especially when protecting sensitive information such as user credentials, session tokens, or personal data.
It is used in a variety of contexts, including secure communication protocols like TLS, secure storage of data in databases, and obfuscation of sensitive values in client-side JavaScript applications. AES-GCM is often implemented in JavaScript environments using Web Crypto API or libraries such as crypto-js or node-forge in Node.js.
Why It Matters
For developers working with sensitive data, AES-GCM is essential for ensuring both data integrity and confidentiality. In web applications, it is often used to protect session tokens, API keys, or user data before storage or transmission. The mode's built-in authentication makes it resistant to tampering, which is critical in preventing man-in-the-middle attacks or data corruption.
Production environments that rely on data security, such as financial systems, healthcare platforms, or authentication services, must use authenticated encryption modes like AES-GCM to meet compliance requirements. Using insecure or unauthenticated encryption can lead to vulnerabilities such as padding oracle attacks or data injection exploits.
How It Works
AES-GCM combines the AES block cipher with a Galois field multiplication for authentication. It operates on 128-bit blocks and supports key sizes of 128, 192, or 256 bits. The mode uses a nonce (number used once) to ensure uniqueness of each encryption operation, which is critical to prevent replay attacks.
- AES-GCM is a symmetric encryption algorithm, meaning the same key is used for both encryption and decryption.
- It produces an authentication tag that ensures data integrity and authenticity.
- The nonce must be unique for each encryption operation with a given key to maintain security.
- The mode supports authenticated encryption, providing both confidentiality and integrity in a single operation.
- It is widely supported in modern browsers and Node.js environments through the Web Crypto API.
Quick Reference
| Item | Purpose | Notes |
|---|---|---|
| Key size | Encryption key length | 128, 192, or 256 bits |
| Nonce | Unique value for encryption | Must be unique per key |
| Authentication tag | Ensures data integrity | Generated during encryption |
| Block size | Fixed AES block size | 128 bits |
| Supported modes | Web Crypto API and libraries | Node.js and browser environments |
Basic Example
This example demonstrates how to encrypt and decrypt data using AES-GCM in a browser environment with the Web Crypto API.
const encoder = new TextEncoder();
const data = encoder.encode("Secret message");
async function encrypt(data, key) {
const iv = crypto.getRandomValues(new Uint8Array(12));
const ciphertext = await crypto.subtle.encrypt({
name: "AES-GCM",
iv: iv
}, key, data);
return { iv, ciphertext };
}
async function decrypt(iv, ciphertext, key) {
const plaintext = await crypto.subtle.decrypt({
name: "AES-GCM",
iv: iv
}, key, ciphertext);
return new TextDecoder().decode(plaintext);
}The example shows encryption using a randomly generated 12-byte nonce and the Web Crypto API's encrypt method. Decryption uses the same nonce and key to verify authenticity and recover the original data.
Production Example
This example demonstrates a more robust approach to using AES-GCM in a Node.js application, including key derivation, error handling, and configuration.
const crypto = require('crypto');
const algorithm = 'aes-256-gcm';
const key = crypto.createHash('sha256').update('my-secret-key').digest();
function encrypt(text) {
const iv = crypto.randomBytes(12);
const cipher = crypto.createCipherGCM(algorithm, key, iv);
const encrypted = cipher.update(text, 'utf8', 'hex');
cipher.final();
const authTag = cipher.getAuthTag().toString('hex');
return { iv: iv.toString('hex'), encrypted, authTag };
}
function decrypt(iv, encrypted, authTag) {
const decipher = crypto.createDecipherGCM(algorithm, key, Buffer.from(iv, 'hex'));
decipher.setAuthTag(Buffer.from(authTag, 'hex'));
const decrypted = decipher.update(encrypted, 'hex', 'utf8');
decipher.final();
return decrypted;
}This version includes proper key derivation using SHA-256, handles authentication tags, and is structured to be reusable and maintainable in a production codebase.
Common Mistakes
- Reusing the same nonce with the same key can lead to key recovery and decryption of messages.
- Not validating or checking the authentication tag can result in tampered data being accepted as valid.
- Using weak or predictable keys undermines the security of the encryption scheme.
- Storing or transmitting the nonce in plaintext alongside the ciphertext can reduce security.
- Incorrectly handling errors during decryption, such as ignoring
cryptoAPI exceptions, can lead to runtime failures or insecure behavior.
Security And Production Notes
- Always use a unique nonce per encryption operation with a given key.
- Verify the authentication tag during decryption to prevent tampering.
- Derive keys using a secure key derivation function (KDF) instead of using raw passwords.
- Ensure that encryption keys are stored securely and not hardcoded in source code.
- Consider using libraries or built-in APIs with strong default configurations to avoid misconfiguration.
Related Concepts
AES-GCM is closely related to several cryptographic concepts and standards. These include:
- AES (Advanced Encryption Standard) – The underlying block cipher used in AES-GCM.
- Authenticated Encryption – The concept of providing both confidentiality and integrity.
- Nonce – A value used once, critical for secure encryption.
- Web Crypto API – The browser API that supports AES-GCM encryption natively.
- Encryption Key Management – The practice of securely generating, storing, and rotating encryption keys.