sodium_crypto_aead_aes256gcm_is_available

(PHP 7 >= 7.2.0, PHP 8)

sodium_crypto_aead_aes256gcm_is_availableCheck if hardware supports AES256-GCM

Description

sodium_crypto_aead_aes256gcm_is_available(): bool

The return value of this function depends on whether or not the hardware supports hardware-accelerated AES.

Liste de paramètres

Cette fonction ne contient aucun paramètre.

Valeurs de retour

Returns true if it is safe to encrypt with AES-256-GCM, and false otherwise.

add a note add a note

User Contributed Notes 1 note

up
1
Soatok Dreamseeker
3 years ago
The reason libsodium has an "is_available()" API for AES-GCM and not the ChaCha-Poly AEAD ciphers is that, unlike OpenSSL, libsodium will not expose AES-GCM unless your processor supports hardware-accelerated AES and PCLMULQDQ instructions.

If you're wondering what that means: software AES is vulnerable to cache-timing vulnerabilities, due to its internal dependence on table look-ups: https://cr.yp.to/antiforgery/cachetiming-20050414.pdf (PDF)

There's a similar attack on the authentication step in GCM (called GMAC or GHASH, depending on context), which leaks the GHASH key (called H) and can be used to perform chosen-ciphertext attacks freely.

- You can learn more about GCM exploits here (under the condition of nonce reuse rather than timing leaks, but the consequence is the same): https://www.youtube.com/watch?v=uxuXFK5XKEU

- You can learn more about AES-GCM here: https://soatok.blog/2020/05/13/why-aes-gcm-sucks/

- You can learn more about how it compares to other encryption modes here: https://soatok.blog/2020/07/12/comparison-of-symmetric-encryption-methods/

The other AEAD modes are safe to implement in software without risk of side-channel leakage.

The take-away is: AES-GCM isn't guaranteed to be available on all hardware because, without hardware support, libsodium will not provide insecure implementations.

If you want something guaranteed to be available even on hardware you do not control (hello open source maintainers), your choices are ChaCha20-Poly1305 and XChaCha20-Poly1305.

If you can control the hardware and explicitly need AES-GCM (n.b. for FIPS 140-2 validation), feel free to use AES-256-GCM.

<?php
function do_something(string $message, CryptoKeyObject $key): string {
    if (!
sodium_crypto_aead_aes256gcm_is_available()) {
        throw new
Exception("AES-256-GCM isn't available on your hardware");
    }
   
// ... your code here ...
}
?>
To Top