PHP 8.4.0 RC4 available for testing

sodium_crypto_aead_aes256gcm_is_available

(PHP 7 >= 7.2.0, PHP 8)

sodium_crypto_aead_aes256gcm_is_availableVérifie si le matériel prend en charge AES256-GCM

Description

sodium_crypto_aead_aes256gcm_is_available(): bool

La valeur de retour de cette fonction dépend du fait que le matériel prend en charge ou non l'AES accéléré par matériel.

Liste de paramètres

Cette fonction ne contient aucun paramètre.

Valeurs de retour

Renvoie true s'il est sûr de chiffrer avec AES-256-GCM, et false sinon.

add a note

User Contributed Notes 1 note

up
4
Soatok Dreamseeker
3 years ago
The reason libsodium has an "is_available()" API for AES-GCM and not the ChaCha-Poly AEAD ciphers is that, unlike OpenSSL, libsodium will not expose AES-GCM unless your processor supports hardware-accelerated AES and PCLMULQDQ instructions.

If you're wondering what that means: software AES is vulnerable to cache-timing vulnerabilities, due to its internal dependence on table look-ups: https://cr.yp.to/antiforgery/cachetiming-20050414.pdf (PDF)

There's a similar attack on the authentication step in GCM (called GMAC or GHASH, depending on context), which leaks the GHASH key (called H) and can be used to perform chosen-ciphertext attacks freely.

- You can learn more about GCM exploits here (under the condition of nonce reuse rather than timing leaks, but the consequence is the same): https://www.youtube.com/watch?v=uxuXFK5XKEU

- You can learn more about AES-GCM here: https://soatok.blog/2020/05/13/why-aes-gcm-sucks/

- You can learn more about how it compares to other encryption modes here: https://soatok.blog/2020/07/12/comparison-of-symmetric-encryption-methods/

The other AEAD modes are safe to implement in software without risk of side-channel leakage.

The take-away is: AES-GCM isn't guaranteed to be available on all hardware because, without hardware support, libsodium will not provide insecure implementations.

If you want something guaranteed to be available even on hardware you do not control (hello open source maintainers), your choices are ChaCha20-Poly1305 and XChaCha20-Poly1305.

If you can control the hardware and explicitly need AES-GCM (n.b. for FIPS 140-2 validation), feel free to use AES-256-GCM.

<?php
function do_something(string $message, CryptoKeyObject $key): string {
if (!
sodium_crypto_aead_aes256gcm_is_available()) {
throw new
Exception("AES-256-GCM isn't available on your hardware");
}
// ... your code here ...
}
?>
To Top