Adding Aes256GCM + Aes256SIV compliance tunning

Author: HaikAsatryan

Readme.md

@@ -56,10 +56,27 @@ builder.ConfigureArgon2Id(options =>
 var app = builder.Build();
 
 app.Run();
-
 ```
 
-### AES256 Class (Old, Deprecated)
+### 🔥 Breaking change (short) Version 5 to 6
+
+We introduced **two intentional** changes to make usage clearer and safer:
+
+1. `Aes256Siv` **is now RFC-5297 compliant**.
+   The previous, non-standard implementation is renamed `Aes256SivLegacy` (compat only).
+
+New `Aes256Gcm` for files.
+Fully compliant AES-GCM with framed streaming and truncation detection. Prefer this for files of any size.
+
+#### What you must do
+
+- If you previously called `Aes256Siv`, rename those references to `Aes256SivLegacy` to keep current data working.
+- When ready, migrate legacy ciphertexts to the new format using `AesSivMigration` (single/batch helpers).
+- For files, use `Aes256Gcm` instead of SIV.
+
+> That’s it. This section is intentionally short—see API notes below.
+
+### 🔥 Breaking change Version 4 to 5
 
 > Warning
 > `Aes256` is now deprecated because it used a SHA3 hash for deterministic output, which can weaken overall security.
@@ -123,27 +140,46 @@ string decryptedText = Encoding.UTF8.GetString(outputStream.ToArray());
    encrypting emails in your software and also want that emails to be unique. With our Aes256 class by default your
    emails will be unique as in front will be the unique hash.
 
-### AES256Siv (New, Recommended)
+### Aes256Gcm - Perfect for files
 
-**AES-SIV** (RFC 5297) is the new recommended approach in PandaTech.Crypto for deterministic AES encryption.
-It **does not** rely on storing a large hash for uniqueness, instead uses a **synthetic IV** approach to provide both
-authentication and deterministic encryption.
+**Use this for: images, videos, audio, PDF, XLSX, PPTX, etc.**
+
+- AEAD (confidentiality + integrity)
+- Bounded memory, chunked frames (`64 KiB` by default)
+- Detects clean truncation via a terminal 0-length authenticated frame
 
 ```csharp
 // Encrypt
-byte[] sivCipher = Aes256Siv.Encrypt("your-plaintext");
-
-// Decrypt
-string decrypted = Aes256Siv.Decrypt(sivCipher);
+Aes256Gcm.RegisterKey(key);
+using var fin  = File.OpenRead("report.pdf");
+using var fout = File.Create("report.pdf.gcm");
+Aes256Gcm.Encrypt(fin, fout);
+
+// decrypt
+using var ein  = File.OpenRead("report.pdf.gcm");
+using var eout = File.Create("report.dec.pdf");
+Aes256Gcm.Decrypt(ein, eout);
 ```
 
-**Notes:**
+> Tip: You can pass a per-call override key: Encrypt(fin, fout, key) / Decrypt(...).
+
+### Aes256Siv - Deterministic and perfect for PII
+
+Use this for PII you need to **match deterministically** (e.g., names/IDs) and decrypt later.
+This is **spec-correct AES-SIV (RFC-5297)**: CMAC S2V + masked CTR, output is `V(16B) || C`.
 
-- Deterministic: Encrypting the same plaintext with the same key always produces the same ciphertext.
+```csharp
+Aes256Siv.RegisterKey(key);
+
+byte[] cipher = Aes256Siv.Encrypt("John Q Public");
+string plain  = Aes256Siv.Decrypt(cipher);
+
+// byte[] API
+var c2 = Aes256Siv.Encrypt(dataBytes);
+var p2 = Aes256Siv.DecryptToBytes(c2);
+```
 
-- Security: AES-SIV is an AEAD mode, providing both authenticity (tamper detection) and deterministic encryption.
-- Stream-based usage is also available via `Encrypt(Stream in, Stream out, string? key = null) and Decrypt(Stream in,
-  Stream out, string? key = null)`.
+> Note: SIV is two-pass by design → not ideal for big files. Use GCM for files.
 
 ### AesMigration
 

src/Pandatech.Crypto/Extensions/WebAppExtensions.cs

@@ -8,11 +8,14 @@ public static class WebAppExtensions
    public static WebApplicationBuilder AddAes256Key(this WebApplicationBuilder builder, string aesKey)
    {
       Aes256.RegisterKey(aesKey);
+      Aes256SivLegacy.RegisterKey(aesKey);
+      Aes256Gcm.RegisterKey(aesKey);
       Aes256Siv.RegisterKey(aesKey);
       return builder;
    }
 
-   public static WebApplicationBuilder ConfigureArgon2Id(this WebApplicationBuilder builder, Action<Argon2IdOptions> configure)
+   public static WebApplicationBuilder ConfigureArgon2Id(this WebApplicationBuilder builder,
+      Action<Argon2IdOptions> configure)
    {
       var options = new Argon2IdOptions();
       configure(options);

src/Pandatech.Crypto/Helpers/Aes256Gcm.cs

@@ -0,0 +1,238 @@
+using System.Buffers.Binary;
+using System.Diagnostics.CodeAnalysis;
+using System.Security.Cryptography;
+
+namespace Pandatech.Crypto.Helpers;
+
+public static class Aes256Gcm
+{
+   private const int KeySize = 32; // 256-bit
+   private const int NonceSize = 12; // GCM recommended
+   private const int TagSize = 16; // 128-bit tag
+   private const int DefaultChunkSize = 64 * 1024;
+
+   // [Magic: 'PGCM'][Version:1][BaseNonce:12][ChunkSize:4 LE]
+   // Frames: [PlainLen:4 LE][Tag:16][Ciphertext:PlainLen]
+   private static readonly byte[] Magic = "PGCM"u8.ToArray();
+
+   private const byte Version = 1;
+
+   private static string? GlobalKey { get; set; }
+
+   internal static void RegisterKey(string key)
+   {
+      ValidateKey(key);
+      GlobalKey = key;
+   }
+
+   public static void Encrypt(Stream input, Stream output) => Encrypt(input, output, null);
+
+   public static void Encrypt(Stream input, Stream output, string? key)
+   {
+      ArgumentNullException.ThrowIfNull(input);
+      ArgumentNullException.ThrowIfNull(output);
+
+      var k = GetKeyBytes(key);
+
+      Span<byte> baseNonce = stackalloc byte[NonceSize];
+      RandomNumberGenerator.Fill(baseNonce);
+
+      // header
+      Span<byte> header = stackalloc byte[Magic.Length + 1 + NonceSize + 4];
+      Magic.CopyTo(header);
+      header[4] = Version;
+      baseNonce.CopyTo(header.Slice(5, NonceSize));
+      BinaryPrimitives.WriteUInt32LittleEndian(header.Slice(5 + NonceSize, 4), (uint)DefaultChunkSize);
+      output.Write(header);
+
+      using var aes = new AesGcm(k, TagSize);
+
+      var plain     = new byte[DefaultChunkSize];
+      var cipher    = new byte[DefaultChunkSize];   // <— you removed this; we need it
+      var tagBuf    = new byte[TagSize];
+      var nonceBuf  = new byte[NonceSize];
+      var frameLen4 = new byte[4];
+      var aadLen    = 5 + NonceSize + 4;
+
+      ulong counter = 0;
+      int read;
+
+      // --- data frames ---
+      while ((read = input.Read(plain, 0, plain.Length)) > 0)
+      {
+         DeriveNonce(baseNonce, counter, nonceBuf);
+
+         var p   = plain.AsSpan(0, read);
+         var c   = cipher.AsSpan(0, read);
+         var tag = tagBuf.AsSpan();
+
+         aes.Encrypt(nonceBuf, p, c, tag, header[..aadLen]);
+
+         BinaryPrimitives.WriteUInt32LittleEndian(frameLen4, (uint)read);
+         output.Write(frameLen4);   // len
+         output.Write(tagBuf);      // tag
+         output.Write(c);           // ciphertext
+
+         counter++;
+      }
+
+      // --- single terminal 0-length authenticated frame ---
+      DeriveNonce(baseNonce, counter, nonceBuf);
+      aes.Encrypt(nonceBuf,
+         ReadOnlySpan<byte>.Empty,
+         Span<byte>.Empty,
+         tagBuf,
+         header[..aadLen]);
+
+      BinaryPrimitives.WriteUInt32LittleEndian(frameLen4, 0u);
+      output.Write(frameLen4);
+      output.Write(tagBuf);
+   }
+
+
+   public static void Decrypt(Stream input, Stream output) => Decrypt(input, output, null);
+
+   public static void Decrypt(Stream input, Stream output, string? key)
+   {
+      ArgumentNullException.ThrowIfNull(input);
+      ArgumentNullException.ThrowIfNull(output);
+
+      var k = GetKeyBytes(key);
+
+      // header (single stackalloc outside loops)
+      Span<byte> header = stackalloc byte[Magic.Length + 1 + NonceSize + 4];
+      ReadExactly(input, header);
+
+      if (!header[..4]
+             .SequenceEqual(Magic))
+      {
+         throw new CryptographicException("Invalid header.");
+      }
+
+      if (header[4] != Version)
+      {
+         throw new CryptographicException("Unsupported version.");
+      }
+
+      var baseNonce = header.Slice(5, NonceSize)
+                            .ToArray();
+      var chunkSize = BinaryPrimitives.ReadUInt32LittleEndian(header.Slice(5 + NonceSize, 4));
+      if (chunkSize == 0 || chunkSize > 16 * 1024 * 1024)
+         throw new CryptographicException("Invalid chunk size.");
+
+      using var aes = new AesGcm(k, TagSize);
+
+      var cipher = new byte[chunkSize];
+      var plain = new byte[chunkSize];
+      var tagBuf = new byte[TagSize];
+      var nonceBuf = new byte[NonceSize];
+      var lenBuf4 = new byte[4];
+      var aadLen = 5 + NonceSize + 4;
+
+      ulong counter = 0;
+      var sawTerminal = false;
+
+      while (true)
+      {
+         var got = input.Read(lenBuf4);
+         if (got == 0)
+            break; // we’ll check sawTerminal below
+
+         if (got != 4)
+            throw new CryptographicException("Truncated frame.");
+
+         var len = BinaryPrimitives.ReadUInt32LittleEndian(lenBuf4);
+         if (len > chunkSize)
+            throw new CryptographicException("Frame too large.");
+
+         ReadExactly(input, tagBuf);
+
+         DeriveNonce(baseNonce, counter, nonceBuf);
+
+         if (len == 0)
+         {
+            // terminal frame: verify tag on empty payload
+            aes.Decrypt(nonceBuf,
+               ReadOnlySpan<byte>.Empty,
+               tagBuf,
+               Span<byte>.Empty,
+               header[..aadLen]);
+
+            sawTerminal = true;
+
+            // after terminal, there MUST be no extra data
+            if (input.Read(lenBuf4) != 0)
+               throw new CryptographicException("Trailing data after terminal frame.");
+
+            break;
+         }
+
+         var c = cipher.AsSpan(0, (int)len);
+         ReadExactly(input, c);
+
+         var p = plain.AsSpan(0, (int)len);
+         aes.Decrypt(nonceBuf, c, tagBuf, p, header[..aadLen]);
+         output.Write(p);
+
+         counter++;
+      }
+
+      if (!sawTerminal)
+         throw new CryptographicException("Missing terminal authentication frame.");
+   }
+
+   private static void DeriveNonce(ReadOnlySpan<byte> baseNonce, ulong counter, Span<byte> outNonce)
+   {
+      // outNonce = baseNonce; then XOR LE64(counter) into last 8 bytes — no temporaries.
+      baseNonce.CopyTo(outNonce);
+      for (var i = 0; i < 8; i++)
+      {
+         var b = (byte)((counter >> (8 * i)) & 0xFF);
+         outNonce[NonceSize - 8 + i] ^= b;
+      }
+   }
+
+   private static void ReadExactly(Stream s, Span<byte> buffer)
+   {
+      var total = 0;
+      while (total < buffer.Length)
+      {
+         var r = s.Read(buffer.Slice(total));
+         if (r == 0) throw new CryptographicException("Truncated input.");
+         total += r;
+      }
+   }
+
+   private static byte[] GetKeyBytes(string? overrideKey)
+   {
+      if (string.IsNullOrEmpty(overrideKey))
+      {
+         return GlobalKey is null
+            ? throw new InvalidOperationException("AES256 Key not configured. Call RegisterKey(...) or provide a key.")
+            : Convert.FromBase64String(GlobalKey);
+      }
+
+      ValidateKey(overrideKey);
+      return Convert.FromBase64String(overrideKey);
+   }
+
+   private static void ValidateKey([NotNull] string? key)
+   {
+      if (string.IsNullOrWhiteSpace(key) || !IsBase64String(key))
+      {
+         throw new ArgumentException("Key must be valid Base64.");
+      }
+
+      if (Convert.FromBase64String(key)
+                 .Length != KeySize)
+      {
+         throw new ArgumentException("Key must be 32 bytes (256 bits).");
+      }
+   }
+
+   private static bool IsBase64String(string input)
+   {
+      var buffer = new Span<byte>(new byte[input.Length]);
+      return Convert.TryFromBase64String(input, buffer, out _);
+   }
+}