Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Tasks

AES/GCM Interoperability

search

Please Note:

AES/GCM Interoperability

This page provides an information of a known issue and its proposed solution by adding a new default parameter interOp to the library.

A known issue in CADP for .NET Core that occurs when using a versioned key and Additional Authenticated Data (AAD) in AES/GCM Local mode, where the AUTH tag generated for Local mode and Remote mode is different, although the ciphertext remains the same.

The below table represents the scenarios that fail because of this issue.

EncryptionDecryptionRemarks
Remote mode in CADP for .NetCoreLocal mode in CADP for .NetCoreDecryption fails as the auth tags are different
Local mode in for CADP for .NET CoreRemote mode in CADP for .NET CoreDecryption fails as the auth tags are different
Local mode in for CADP for .NET CoreAny mode in any other connectorDecryption fails as the auth tags are different
Any mode in any other connectorLocal mode in CADP for .NetCoreDecryption fails as the auth tags are different

Solution

To resolve the above issue, a new default parameter interOp is added to the library for the Encrypt and Decrypt functions.

For every Encrypt operation, you need to set the interOp parameter as true else the encrypted text will not be compatible with:

  • CADP for .Net Core in remote mode of AES/GCM

  • Other connectors (in any mode)

The value of interOp parameter must be the same for both Encrypt and Decrypt operation. For example, if the value of interOp parameter is set to true during encryption, then it must be set to true in decryption also.

The Default value of the interOp parameter is set to false.

Note

If you encrypted the data using the old APIs in local mode, you must either set the InterOp parameter to false or omit it when decrypting the data.

Sample Code

byte[] tagVersionedKey = null;
// The last interOp parameter is set to true, in case you want the data to be decrypted using any other connector.
byte[] encDataVersionedKey = gcm.Encrypt(nonce, inputBytes, out tagVersionedKey, Encoding.ASCII.GetBytes(Default_AAD), true);
// As the interOp parameter is set to true while performing encryption operation, it must be set to true for decryption also, else the decryption will fail.
// Decrypting the encrypted data using Remote mode.
byte[] decDataVersionedKey = gcm.Decrypt(nonce, encDataVersionedKey, tagVersionedKey, Encoding.ASCII.GetBytes(Default_AAD), true);

On this page