TL;DR
This guide shows you how to calculate an AES-GMAC (Galois/Counter Mode Message Authentication Code) using OpenSSL. It covers generating a key, encrypting data, and verifying the MAC.
Steps
- Generate an AES Key: You’ll need a 128, 192 or 256-bit AES key. For example, to generate a random 256-bit key:
openssl rand -hex 32Save this output – it’s your secret key!
- Prepare Your Data: Decide on the data you want to authenticate. This could be any file or string of bytes.
- Generate an Initialization Vector (IV): The IV should be a random number, typically 128 bits long. It’s crucial that your IV is unique for each message encrypted with the same key. Use:
openssl rand -hex 16 - Calculate the AES-GMAC: Use OpenSSL to calculate the MAC.
openssl dgst -aes256gmac -iv -sign | openssl base64Replace:
- with the path to your AES key file.
- with the path to your IV file.
- with the path to your data file.
The
base64command converts the binary MAC output into a more readable string format. - Verify the AES-GMAC: To verify, recalculate the MAC using the same key and IV as before, then compare it to the original MAC.
openssl dgst -aes256gmac -iv -verify -signatureReplace:
- with the path to your AES key file.
- with the path to your IV file.
- with the path to your data file.
- with the path to the file containing the original MAC you calculated in step 4.
A successful verification will output ‘Verified OK’. If it fails, the data has been tampered with or an incorrect key/IV was used.
Important Considerations
- Key Management: Keep your AES key secret! Secure storage and access control are vital.
- IV Uniqueness: Never reuse the same IV with the same key for different messages. This compromises security.
- Error Handling: Always check the output of OpenSSL commands for errors.
- Alternative Tools: Other cryptography libraries (e.g., Python’s
cryptographymodule) can also calculate AES-GMAC.