How AES-GCM fails when nonces are reused.
AES-GCM is a strong authenticated-encryption mode, but it has one rule that cannot be treated casually: never reuse the same key and nonce pair. CryptoToolkit turns that rule into a visible, runnable lesson.
The short version
AES-GCM combines counter-mode encryption with a polynomial authenticator called GHASH. If two messages use the same key and nonce, the counter stream repeats. That lets an attacker compare ciphertexts and learn relationships between plaintexts.
In practice, the damage can be bigger than a simple confidentiality leak. With enough structure, nonce reuse can also help recover authentication material and forge messages.
What to look for
- Static IVs or counters that reset after restart.
- Multiple systems sharing the same key without coordinated nonce allocation.
- Encrypted backups, logs, or messages that generate IVs outside a cryptographic random source.
- Protocol wrappers that hide nonce construction from reviewers.
Use the interactive module
Open the GCM Nonce Reuse attack module to see plaintext relationships appear from two ciphertexts. Then open AES-GCM Authenticated Encryption to inspect the normal workflow.
The browser demo is educational. It shows the failure mode clearly, but it is not production crypto code and should not be copied into real systems.
Safe implementation rule
Use a mature library or Web Crypto API, generate nonces according to the library guidance, and treat nonce uniqueness as part of the security boundary. If you cannot prove uniqueness, redesign before shipping.