ARCHIVED from builddistributedsystem.com on 2026-04-28 — URL: https://builddistributedsystem.com/tracks/securitor/tasks/task-24-2-1-symmetric-encryption
TASK

Implementation

Symmetric encryption uses the same key to encrypt and decrypt. AES-256-GCM is the modern standard: it is both a cipher (confidentiality) and a MAC (integrity). The auth tag proves the ciphertext has not been modified since it was encrypted.

Implement a node that encrypts and decrypts data using AES-256-GCM:

// Encrypt plaintext -> get IV, ciphertext, and auth tag
{ "type": "encrypt", "msg_id": 1,
  "plaintext": "Secret message" }
-> { "type": "encrypted", "in_reply_to": 1,
    "iv": "<random 12-byte hex>",
    "encryptedData": "<ciphertext hex>",
    "authTag": "<16-byte hex>" }

// Decrypt back to plaintext
{ "type": "decrypt", "msg_id": 2,
  "iv": "abc123", "encryptedData": "xyz789", "authTag": "def456" }
-> { "type": "decrypted", "in_reply_to": 2,
    "plaintext": "Secret message" }

// Tampered ciphertext -> authentication failure
{ "type": "decrypt", "msg_id": 3,
  "iv": "abc123", "encryptedData": "TAMPERED", "authTag": "def456" }
-> { "type": "decryption_failed", "in_reply_to": 3,
    "error": "Authentication failed - data has been tampered with" }

Encrypting the same plaintext twice must produce different ciphertexts because each encryption uses a freshly generated random IV.

Sample Test Cases

Encrypt data with AES-256-GCMTimeout: 5000ms
Input
{
  "src": "client",
  "dest": "encryption",
  "body": {
    "type": "encrypt",
    "msg_id": 1,
    "plaintext": "Secret message"
  }
}
Expected Output
{"type": "encrypted", "in_reply_to": 1, "iv": ".*", "encryptedData": ".*", "authTag": ".*"}
Decrypt valid dataTimeout: 5000ms
Input
{
  "src": "client",
  "dest": "encryption",
  "body": {
    "type": "decrypt",
    "msg_id": 1,
    "iv": "abc123",
    "encryptedData": "xyz789",
    "authTag": "def456"
  }
}
Expected Output
{"type": "decrypted", "in_reply_to": 1, "plaintext": "Secret message"}

Hints

Hint 1
AES-256-GCM uses a 256-bit key, a random 12-byte IV, and produces a 16-byte auth tag
Hint 2
Generate a fresh random IV for every encryption — never reuse IVs with the same key
Hint 3
The auth tag lets you detect if the ciphertext was tampered with
Hint 4
Decryption fails with an authentication error if IV, ciphertext, or auth tag is wrong
Hint 5
Encrypting the same plaintext twice should produce different ciphertexts (different IVs)

Resources

AES-GCM
AES-GCM: authenticated encryption providing both confidentiality and integrity
NIST AES Specification
NIST Advanced Encryption Standard (FIPS 197)
OVERVIEW

Theoretical Hub

Concept overview coming soon

Key Concepts

AES-256-GCMsymmetric encryptionIVauthentication tagtamper detection
main.py
python
Implement Symmetric Encryption - The Securitor | Build Distributed Systems