PHP 8.1.30 Released!

sodium_crypto_aead_aes256gcm_is_available

(PHP 7 >= 7.2.0, PHP 8)

sodium_crypto_aead_aes256gcm_is_availablePrüft, ob die Hardware AES256-GCM unterstützt

Beschreibung

sodium_crypto_aead_aes256gcm_is_available(): bool

Der Rückgabewert dieser Funktion hängt davon ab, ob die Hardware hardwarebeschleunigtes AES unterstützt oder nicht.

Parameter-Liste

Diese Funktion besitzt keine Parameter.

Rückgabewerte

Gibt true zurück, wenn es ist sicher ist mit AES-256-GCM zu verschlüsseln, und false wenn nicht.

add a note

User Contributed Notes 1 note

up
4
Soatok Dreamseeker
3 years ago
The reason libsodium has an "is_available()" API for AES-GCM and not the ChaCha-Poly AEAD ciphers is that, unlike OpenSSL, libsodium will not expose AES-GCM unless your processor supports hardware-accelerated AES and PCLMULQDQ instructions.

If you're wondering what that means: software AES is vulnerable to cache-timing vulnerabilities, due to its internal dependence on table look-ups: https://cr.yp.to/antiforgery/cachetiming-20050414.pdf (PDF)

There's a similar attack on the authentication step in GCM (called GMAC or GHASH, depending on context), which leaks the GHASH key (called H) and can be used to perform chosen-ciphertext attacks freely.

- You can learn more about GCM exploits here (under the condition of nonce reuse rather than timing leaks, but the consequence is the same): https://www.youtube.com/watch?v=uxuXFK5XKEU

- You can learn more about AES-GCM here: https://soatok.blog/2020/05/13/why-aes-gcm-sucks/

- You can learn more about how it compares to other encryption modes here: https://soatok.blog/2020/07/12/comparison-of-symmetric-encryption-methods/

The other AEAD modes are safe to implement in software without risk of side-channel leakage.

The take-away is: AES-GCM isn't guaranteed to be available on all hardware because, without hardware support, libsodium will not provide insecure implementations.

If you want something guaranteed to be available even on hardware you do not control (hello open source maintainers), your choices are ChaCha20-Poly1305 and XChaCha20-Poly1305.

If you can control the hardware and explicitly need AES-GCM (n.b. for FIPS 140-2 validation), feel free to use AES-256-GCM.

<?php
function do_something(string $message, CryptoKeyObject $key): string {
if (!
sodium_crypto_aead_aes256gcm_is_available()) {
throw new
Exception("AES-256-GCM isn't available on your hardware");
}
// ... your code here ...
}
?>
To Top