← Lessons

quiz vs the machine

Gold1430

Security

Authenticated Encryption with GCM

Why confidentiality alone is not enough and how GCM adds tamper detection.

5 min read · core · beat Gold to climb

Encryption Without Authentication Is Risky

Plain encryption keeps data secret but does not prove it arrived unmodified. An attacker who cannot read ciphertext can still flip bits in it, and a naive decryptor will happily produce corrupted or attacker influenced plaintext. This class of weakness motivates authenticated encryption.

What GCM Provides

AES GCM, the Galois Counter Mode, combines a fast counter based cipher with an authentication tag. After decryption the receiver recomputes the tag and rejects the message if it does not match. This gives two guarantees at once:

  • Confidentiality, so outsiders cannot read the data.
  • Integrity and authenticity, so any tampering is detected and rejected.

GCM also supports additional authenticated data, letting you bind headers or context that are authenticated but not encrypted.

Operational rules are strict:

  • The nonce must be unique for every message under a key.
  • Reject the message if the tag check fails, and never use the decrypted bytes first.

Key idea

Use authenticated encryption like AES GCM so messages are both secret and tamper evident, and always verify the tag before trusting any decrypted bytes.

Check yourself

Answer to earn rating on the learn ladder.

1. What does GCM add beyond confidentiality?

2. When should a GCM receiver trust the decrypted bytes?

3. What requirement applies to the GCM nonce?