This site is best experienced on a laptop or desktop.
AES-GCM (Galois/Counter Mode) provides authenticated encryption with associated data (AEAD). It encrypts the plaintext AND produces a 128-bit authentication tag. Any modification to the ciphertext makes the tag verification fail and decryption is rejected. AES-CBC encrypts correctly but produces no integrity check. An attacker who can flip bits in a CBC ciphertext will produce different decrypted plaintext and the receiver accepts it silently. This is the basis of padding oracle attacks. Always use an AEAD mode (GCM, ChaCha20-Poly1305) for any new system.
Computerphile: AES-GCM and Authenticated Encryption explained by Dr Mike Pound
Security Now: Steve Gibson and Leo Laporte on encryption, protocol security and applied cryptography
GCM uses a 96-bit nonce. Reusing the same nonce with the same key completely breaks GCM security: it reveals the authentication key and exposes plaintext XOR. Always generate a random 96-bit nonce per encryption, store it alongside the ciphertext and never reuse it.
NIST SP 800-38D: GCM Mode
The NIST specification for AES-GCM including nonce requirements, tag length choices and usage restrictions.
https://csrc.nist.gov/publications/detail/sp/800-38d/final