AES-256-GCM Authenticated Encryption
Every Agora message is encrypted with AES-256-GCM, an authenticated encryption with associated data (AEAD) construction. The 256-bit key provides confidentiality — without it, the ciphertext is indistinguishable from random bytes. The 128-bit GCM authentication tag provides integrity: any tampering with ciphertext, nonce, or associated data causes decryption to fail before the plaintext is ever returned to the application.
The encryption key is derived per room from the shared secret via HKDF-SHA256, so the same secret produces a different key in every room. The nonce (12 bytes, 96-bit) is generated fresh and randomly for each message — never derived from a counter — eliminating the catastrophic nonce-reuse failure mode that affects deterministic-nonce AEAD constructions.
The wire format is nonce (12 bytes) || ciphertext || tag (16 bytes). Decryption extracts the nonce, verifies the tag against the ciphertext and AAD, and only then returns the plaintext. If any byte has been modified in transit, the tag check fails and the message is discarded.
- Algorithm
- AES-256-GCM (AEAD)
- Key length
- 256 bits (32 bytes)
- Tag length
- 128 bits (16 bytes)
- Nonce length
- 96 bits (12 bytes), random per message