TL;DR
This guide shows you how to calculate an AES-GMAC (Galois/Counter Mode Message Authentication Code) using OpenSSL. It covers generating a key, encrypting data, and verifying the MAC.
Steps
- Generate an AES Key: You’ll need a 128, 192 or 256-bit AES key. For example, to generate a random 256-bit key:
openssl rand -hex 32Save this output – it’s your secret key!
- Prepare Your Data: Decide on the data you want to authenticate. This could be any file or string of bytes.
- Generate an Initialization Vector (IV): The IV should be a random number, typically 128 bits long. It’s crucial that your IV is unique for each message encrypted with the same key. Use:
openssl rand -hex 16 - Calculate the AES-GMAC: Use OpenSSL to calculate the MAC.
openssl dgst -aes256gmac-iv -sign | openssl base64 Replace:
with the path to your AES key file. with the path to your IV file. with the path to your data file.
The
base64command converts the binary MAC output into a more readable string format. - Verify the AES-GMAC: To verify, recalculate the MAC using the same key and IV as before, then compare it to the original MAC.
openssl dgst -aes256gmac-iv -verify -signature Replace:
with the path to your AES key file. with the path to your IV file. with the path to your data file. with the path to the file containing the original MAC you calculated in step 4.
A successful verification will output ‘Verified OK’. If it fails, the data has been tampered with or an incorrect key/IV was used.
Important Considerations
- Key Management: Keep your AES key secret! Secure storage and access control are vital.
- IV Uniqueness: Never reuse the same IV with the same key for different messages. This compromises security.
- Error Handling: Always check the output of OpenSSL commands for errors.
- Alternative Tools: Other cryptography libraries (e.g., Python’s
cryptographymodule) can also calculate AES-GMAC.