While reviewing an IPsec VPN configuration during a penetration test, you notice that a new tunnel specifies AES-256 in Galois/Counter Mode (GCM) instead of AES-256 in CBC mode. From a cryptographic standpoint, which extra security capability does AES-GCM provide natively, removing the need for a separate AH or HMAC?
Built-in key stretching to mitigate brute-force attacks
Automatic perfect forward secrecy through implicit key agreement
Resistance to differential cryptanalysis by masking S-box outputs
Authenticated encryption that assures message integrity
AES used in Galois/Counter Mode is an authenticated-encryption-with-associated-data (AEAD) construction. In addition to confidentiality from the counter (CTR) component, GCM generates a Galois Message Authentication Code (GMAC) that verifies the integrity and authenticity of each packet. Traditional CBC mode only encrypts; it does not supply integrity, so protocols that rely on AES-CBC must add a separate authentication mechanism such as HMAC or IPsec's AH. GCM therefore eliminates that extra step. Perfect forward secrecy comes from key-exchange algorithms like Diffie-Hellman, not from the block-cipher mode. Resistance to differential cryptanalysis and key-stretching features are unrelated to the choice between CBC and GCM.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AES-GCM and how does it differ from AES-CBC?
Open an interactive chat with Bash
What is the GMAC in AES-GCM and what role does it play?
Open an interactive chat with Bash
Why is GCM preferred over CBC in modern cryptographic protocols like IPsec?
Open an interactive chat with Bash
What is AES-GCM and how does it provide authentication?
Open an interactive chat with Bash
Why is AES-CBC less secure than AES-GCM for modern protocols?
Open an interactive chat with Bash
What is perfect forward secrecy, and why doesn't AES-GCM provide it?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .