I am implementing an AES cipher in GCM mode in c#. My question pertains to the “additional authenticated data”(AAD). In the following code from
http://blogs.msdn.com/b/shawnfa/archive/2009/03/17/authenticated-symmetric-encryption-in-net.aspx
it is unclear where I should get the AAD from, and how I should retrieve the AAD specific to this encryption during decryption:
// Authenticated data becomes part of the authentication tag that is generated during
// encryption, however it is not part of the ciphertext. That is, when decrypting the
// ciphertext the authenticated data will not be produced. However, if the
// authenticated data does not match at encryption and decryption time, the
// authentication tag will not validate.
aes.AuthenticatedData = Encoding.UTF8.GetBytes("Additional authenticated data");
Any clarification on how to use this AAD would be much appreciated.
Thanks
AAD stands for Additional Authenticated Data or Additional Associated Data. This is data that can be send in the clear together with the cipher text. Both the cipher text and the AAD are validated for integrity when you perform the combined verification and decryption of an AEAD cipher.
AAD data is not a key, it’s just plain data you can include in your protocol which needs to be protected for integrity, but does not need (or, more logically, would not be useful with) encryption. A good example would be a header of an encrypted IP packet; if you encrypt it you cannot use it for routing, if you don’t protect it’s integrity, an attacker may change the message length or source address without the receiver knowing about it.
Note that AEAD ciphers already include the IV / nonce in the calculation of the authentication tag. It is therefore unnecessary to include it in the AAD. The AAD is often used to include sender, receiver and possibly message identification number – if that’s present outside of the encrypted part of the message.