Question
I'm implementing AES GCM encryption in a WCF project. After reading and searching I found this example (the first class, AESGCM), which seems so be well written and updated.
As I understand it's of high importance that the nonce will be unique as possible, and want to make sure I understand the way this class works.
When I've used IV in the past, in CBC mode, it was necessary to save it for future decryption, but in the example attached I see that the IV (nonce) is not saved.
My question is does the nonce part of the Cipher Text and extracted using:
https://stackoverflow.com/questions/22783518
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussiancipherReader.ReadBytes(NonceBitSize / 8)
Or am I missing something and the IV/nonce should be saved?
Also - doesn't GCM require the use of salt?
Solution
In the linked piece of code the nonce is prepended to the cipher text. It is therefore recoverable. Losing the nonce means losing data.
In the comments I saw a dangerous idea: Not generating the nonce in a cryptographically secure way. That's not a good idea because you risk colliding nonces that way. It needlessly weakens security.
