public final class GcmBlockMechanism extends BlockMechanism
Note: As the Cipher.updateAAD method and GCMParameterSpec class were not available until Java 1.7, the GCM block mechanism is only available when running on Java 1.7 or later.
GCM is a block mode that is supported for use with 128-bit symmetric block ciphers (e.g. AES) with keys of at least 128-bits. This mode effectively turns the symmetric block cipher into an authenticated symmetric stream cipher. An authenticated symmetric cipher performs the services of a standard symmetric cipher and MAC algorithm combined. This is, it provides confidentiality and assurance of authenticity for the data that it protects. Converting a block cipher to a stream cipher simply means that a padding mechanism is not required.
To provide confidentiality, an authentication tag is output from a GCM authenticated encryption operation. This authentication tag is then also required as an input to an authentication decryption operation. During authenticated decryption, the authentication tag is re-calculated and then compared to the provided value; any difference causes the authenticated decryption operation to fail (the data may have been tampered). During authenticated encryption, the size (in bytes) of the authentication tag that is generated is configurable; this implementation supports the following values: [12, 13, 14, 15, 16]. This configuration is done through the algorithm parameters provided during initialization.
There are two types of input data that can be protected by the GCM block mechanism:
One other input that is required by GCM is an initialization vector (IV), which is essentially a nonce. The IV must be generated randomly for each authenticated encryption operation with a given key. Following encryption, the IV is considered a public value and may be stored in the clear along with the authentication tag and ciphertext. During decryption, the same IV that was used for encryption must also be provided. The IV can be any size (in bytes), but to promote interoperability and efficiency, it is recommended to use an IV of 12 bytes.
IMPORTANT: The security of the GCM depends on IVs being unique for
each authenticated encryption operation with a given key. Entrust's GCM
implementation guarantees this by overwriting the IV passed into
the symmetric cipher with a random value of the same length. Then, during
authenticated encryption, the symmetric cipher will first randomly generate
a new IV, use this IV, and then make this IV available to the caller through
the Cipher.getParameters() API.
Cipher API which states that a call to
Cipher.doFinal()"resets this cipher object to the state it was
in when previously initialized via a call to init". In order to
obey the IV uniqueness requirement, a cipher in GCM mode necessarily will not
automatically re-initialize itself. Instead a manual re-initialization is
required via a call to Cipher.init() , which will cause a new
unique IV to be generated.
The GCM block mechanism is currently supported with the following symmetric block ciphers:
Since padding is not required when using a symmetric cipher in the GCM block mode, to promote interoperability and efficiency, when using the GCM block mode, only the "NoPadding" padding type is permitted.
GCM is defined in NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC. It is a FIPS 140 approved symmetric cipher block mode of operation. It is also recommended for usage with AES in NSA's Suite B.
Note: This implementation has been optimized for processing large amounts of data (it employs a 64KB pre-computation table). There are alternative designs that offer better performance for small amounts of data (less than 512 bytes). Implementations for these alternative designs are not provided because the cases in which they offer advantages are limited and thought to be not widely used in practice.