GCM是具有身份验证的分组密码计数器模式.计数器模式有效地将块密码转换为流密码，因此流密码的许多规则仍然适用.需要注意的是，相同的 Key+IV 总是会产生相同的 PRNG 流，并且重用这个 PRNG 流会导致攻击者通过简单的 XOR 获得明文.在一个协议中，相同的 Key+IV 可以用于会话的整个生命周期，只要模式的计数器不换行(int 溢出).例如，一个协议可以有两方并且他们有一个预先共享的密钥，然后他们可以协商一个新的加密 Nonce，用作每个会话的 IV(记住 nonce 意味着使用 ONLY ONCE).

GCM is a block cipher counter mode with authentication. A Counter mode effectively turns a block cipher into a stream cipher, and therefore many of the rules for stream ciphers still apply. Its important to note that the same Key+IV will always produce the same PRNG stream, and reusing this PRNG stream can lead to an attacker obtaining plaintext with a simple XOR. In a protocol the same Key+IV can be used for the life of the session, so long as the mode's counter doesn't wrap (int overflow). For example, a protocol could have two parties and they have a pre-shared secret key, then they could negotiate a new cryptographic Nonce that is used as the IV for each session (Remember nonce means use ONLY ONCE).

如果您想使用 AES 作为分组密码，您应该查看 CMAC 模式 或也许是 OMAC1 变体.在 CMAC 模式下，仍然适用 CBC 的所有规则.在这种情况下，您必须确保每个数据包都使用唯一的 IV，即 也是随机的.然而，重要的是要注意重用 IV 并没有像重用 PRNG 流那样可怕的后果.

If you want to use AES as a block cipher you should look into CMAC Mode or perhaps the OMAC1 variant. With CMAC mode all of the rules for still CBC apply. In this case you would have to make sure that each packet used a unique IV that is also random. However its important to note that reusing an IV doesn't have nearly as dire consequences as reusing PRNG stream.