May 10, 2026·crypto

AEAD Tamper Demo

Encrypt with AES-256-GCM, flip a single byte of the ciphertext, watch decryption fail with "authentication failed". Explains *why* you need authenticated encryption in one click.

aes-gcm · aead · tamper-detection · webcrypto

"Authenticated Encryption with Associated Data" means not just encrypting a message but also verifying it hasn't been modified. Classic AES-CBC doesn't do this: if someone flips a bit of the ciphertext, decryption returns garbage but no error. AEAD modes like AES-GCM produce an authentication tag; decryption checks the tag and throws if it doesn't match.

AeadLab — AES-256-GCM

plaintext

18 B

şifreleme bekleniyor…

Ciphertext byte'ına tıkla, LSB'yi çevir, sonra decrypt dene — GCM tag bu değişikliği yakalar.

Click any ciphertext byte — its lowest bit flips, the cell turns red. Press "decrypt"; you'll get "authentication failed". "fresh key" generates new key + nonce.

What it teaches

Tampered ciphertext doesn't silently produce wrong plaintext — it throws an explicit error
This comes from the authentication tag, a 128-bit MAC carried alongside the ciphertext
The tag is computed over key + plaintext + IV — an attacker can't change the tag and keep it valid because they don't know the key
The IV (nonce) can be predictable but must be unique — using the same (key, nonce) pair twice is catastrophic for GCM and leaks plaintext

In practice

const key = await crypto.subtle.generateKey({ name: "AES-GCM", length: 256 }, true, ["encrypt", "decrypt"]);
const iv = crypto.getRandomValues(new Uint8Array(12));
const ct = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, plaintext);
// the last 16 bytes of ct are the auth tag — WebCrypto appends it automatically

In production, generate a fresh IV per message. Storing it per row gives you uniqueness for free. Don't use a sequential counter where the count is observable — an attacker who can predict it can engineer IV reuse.