AES-GCM vs CBC

AES-GCM is an AEAD mode that provides both confidentiality and integrity with a single API. It outputs an authentication tag and supports associated data (AAD) to bind headers. CBC, by contrast, requires padding and must be combined with a MAC (e.g.,HMAC-SHA256) in an encrypt-then-MAC construction to resist tampering.

Implementation pitfalls with CBC include padding oracles, IV reuse, and MAC-then-encrypt ordering errors. If you must use CBC for compatibility, use random IVs, constant-time checks, and authenticated encryption via a separate MAC. Otherwise, prefer AES-GCM.

Operational guidance: never reuse nonces/IVs with the same key, store or transmit the nonce alongside ciphertext, and rotate keys periodically.

Related tools

Try: AES-GCM, AES, HMAC-SHA256

FAQ

Why is GCM recommended over CBC?

GCM provides authenticated encryption (AEAD), preventing undetected tampering and simplifying implementations. CBC needs padding and a separate MAC.

Can I reuse an IV/nonce?

No. Reusing a nonce with GCM or an IV with CBC (under the same key) breaks confidentiality and can enable attacks.