1. CSN
  2. All Volumes and Issues
  3. Volume 7, Number 2, 2025
  4. User Authentication Using the AES-GSM Algorithm and PBKDF2 Function

User Authentication Using the AES-GSM Algorithm and PBKDF2 Function

CSN.
2025;
Volume 7, Number 2
: pp. 36 - 42
https://doi.org/10.23939/csn2025.02.036
Authors:
  1. M. V. Hodovana
1
Lviv Polytechnic National University, Department of Information Technologies Security, Ukraine

This paper presents a cryptographic user authentication protocol based on AES in Galois/Counter Mode (GCM) and key derivation using PBKDF2-HMAC-SHA256. The proposed scheme follows a challenge–response model and ensures confidentiality, integrity, and authenticity of transmitted data without disclosing or storing the password in plaintext. A client-server architecture was implemented, with the backend developed in Flask (Python) and the frontend in JavaScript. The protocol incorporates nonce usage, authentication tag verification, and protection against replay and brute-force attacks.

Performance evaluation demonstrates the protocol’s high efficiency: the average authentication time using AES-GCM with PBKDF2 was 134.47 ms, significantly outperforming bcrypt (660 ms) and argon2id (413 ms). Average user registration time was 150.47 ms. The achieved results confirm the suitability of the protocol for secure integration into modern web and IoT environments, where low latency and robust cryptographic security are essential.

AES-GCM
authentication
challenge–response
cryptography
Flask
IoT
PBKDF2
password-based key derivation
symmetric encryption
  1. Yang, Y., Yeo, K. C., Azam, S., Karim, A., Ahammad, R., & Mahmud, R. (2012). Empirical study of password strength meter design. In Proceedings of the 2020 International Conference on Computing and Communication Systems. IEEE. DOI: https://doi.org/10.1109/ICCES48766.2020.9137964.
  2. AlMalki, L. A., Alajmani, S. H., Soh, B., & Alyami, R. Y. (2025). Analysing the impact of password length and complexity on the effectiveness of brute force attacks. International Journal of Network Security & Its Applications (IJNSA), 17(2), 43-61. DOI: https://doi.org/10.5121/ijnsa.2025.17203.
  3. Dave, R., Seliya, N., Pryor, L., Vanamala, M., Sowells, E., & Mallett, J. (2022). An analysis of cryptographic algorithms in biometric authentication systems. arXiv. DOI: https://org/10.48550/arXiv.2201.08564.
  4. Pryor, L., Mallet, J., Dave, R., Seliya, N., Vanamala, M., & Sowells Boone, E. (2022). Evaluation of a user authentication schema using behavioral biometrics and machine learning. arXiv. DOI: https://org/10.48550/arXiv. 2205.08371.
  5. National Institute of Standards and Technology (NIST). Advanced Encryption Standard (AES). FIPS PUB 2001. URL: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf.
  6. Daemen, J., & Rijmen, V. (2002). The design of Rijndael: AES – The advanced encryption standard. Springer Science & Business Media. DOI: https://doi.org/10.1007/978-3-662-04722-4.
  7. Gueron, S., & Lindell, Y. (2015). GCM-SIV: Full nonce misuse-resistant authenticated encryption at under one cycle per byte. In *Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security* (pp. 109–119). ACM. DOI: https://doi.org/10.1145/2810103.2813613.