AES-GCM authenticated Encryption / Decryption

Generic GCM mode is described in [GCM]. To set up for AES-GCM use the following process, where K (key) and AAD (additional authenticated data) are as described in [GCM].

Encrypt:

Set the IV length ulIvLen in the parameter block.
Set the IV data pIv in the parameter block. pIV may be NULL if ulIvLen is 0.
Set the AAD data pAAD and size ulAADLen in the parameter block. pAAD m ay be NULL if ulAADLen is 0.
Set the tag length ulTagBits in the parameter block.
Call C_EncryptInit() for CKM_AES_GCM mechanism with parameters and key K.
Call C_Encrypt(), or C_EncryptUpdate()*

^{"*" indicates 0 or more calls may be made as required}

C_EncryptFinal(), for the plaintext obtaining ciphertext and authentication tag output. Decrypt:

. Set the IV length ulIvLen in the parameter block.
Set the IV data pIv in the parameter block. pIV may be NULL if ulIvLen is 0.
Set the AAD data pAAD and size ulAADLen in the parameter block. pAAD m ay be NULL if ulAADLen is 0.
Set the tag length ulTagBits in the parameter block.
Call C_DecryptInit() for CKM_AES_GCM mechanism with parameters and key K.
Call C_Decrypt(), or C_DecryptUpdate()*¹ C_DecryptFinal(), for the ciphertext, including the appended tag, obtaining plaintext output. In pIv the least significant bit of the initialization vector is the rightmost bit. ulIvLen is the length of the initialization vector in bytes.

The tag is appended to the cipher text and the least significant bit of the tag is the rightmost bit and the tag bits are the rightmost ulTagBits bits.

The key type for K must be compatible with CKM_AES_ECB and the C_EncryptInit/C_DecryptInit calls shall behave, with respect to K, as if they were called directly with CKM_AES_ECB, K and NULL parameters.

RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v230