diff --git a/cmd/ck-client/ck-client.go b/cmd/ck-client/ck-client.go
index de2873b..99c2e02 100644
--- a/cmd/ck-client/ck-client.go
+++ b/cmd/ck-client/ck-client.go
@@ -187,7 +187,7 @@ start:
 	case 0x00:
 		crypto = &mux.Plain{}
 	case 0x01:
-		crypto, err = mux.MakeAESCipher(sta.UID)
+		crypto, err = mux.MakeAESGCMCipher(sta.UID)
 		if err != nil {
 			log.Println(err)
 			return
diff --git a/cmd/ck-server/ck-server.go b/cmd/ck-server/ck-server.go
index d8fd044..0205256 100644
--- a/cmd/ck-server/ck-server.go
+++ b/cmd/ck-server/ck-server.go
@@ -154,7 +154,7 @@ func dispatchConnection(conn net.Conn, sta *server.State) {
 	case 0x00:
 		crypto = &mux.Plain{}
 	case 0x01:
-		crypto, err = mux.MakeAESCipher(UID)
+		crypto, err = mux.MakeAESGCMCipher(UID)
 		if err != nil {
 			log.Println(err)
 			goWeb(data)
diff --git a/internal/client/state.go b/internal/client/state.go
index 7797e19..1da978d 100644
--- a/internal/client/state.go
+++ b/internal/client/state.go
@@ -110,7 +110,7 @@ func (sta *State) ParseConfig(conf string) (err error) {
 	switch preParse.EncryptionMethod {
 	case "plain":
 		sta.EncryptionMethod = 0x00
-	case "aes":
+	case "aes-gcm":
 		sta.EncryptionMethod = 0x01
 	case "chacha20-poly1305":
 		sta.EncryptionMethod = 0x02
diff --git a/internal/multiplex/crypto.go b/internal/multiplex/crypto.go
index ff439db..0f9d0b5 100644
--- a/internal/multiplex/crypto.go
+++ b/internal/multiplex/crypto.go
@@ -21,41 +21,37 @@ func (p *Plain) encrypt(plaintext []byte, nonce []byte) ([]byte, error) {
 }
 
 func (p *Plain) decrypt(buf []byte, nonce []byte) ([]byte, error) {
-	return buf, nil
+	return buf[:len(buf)-16], nil
 }
 
-type AES struct {
-	cipher cipher.Block
+type AESGCM struct {
+	cipher cipher.AEAD
 }
 
-func MakeAESCipher(key []byte) (*AES, error) {
+func MakeAESGCMCipher(key []byte) (*AESGCM, error) {
 	c, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err
 	}
-	ret := AES{
-		c,
+	g, err := cipher.NewGCM(c)
+	if err != nil {
+		return nil, err
+	}
+	ret := AESGCM{
+		g,
 	}
 	return &ret, nil
 }
 
-func (a *AES) encrypt(plaintext []byte, nonce []byte) ([]byte, error) {
-	aesgcm, err := cipher.NewGCM(a.cipher)
-	if err != nil {
-		return nil, err
-	}
-	ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil)
+func (a *AESGCM) encrypt(plaintext []byte, nonce []byte) ([]byte, error) {
+	ciphertext := a.cipher.Seal(nil, nonce, plaintext, nil)
 	ret := make([]byte, len(plaintext)+16)
 	copy(ret, ciphertext)
 	return ret, nil
 }
 
-func (a *AES) decrypt(ciphertext []byte, nonce []byte) ([]byte, error) {
-	aesgcm, err := cipher.NewGCM(a.cipher)
-	if err != nil {
-		return nil, err
-	}
-	plain, err := aesgcm.Open(nil, nonce, ciphertext, nil)
+func (a *AESGCM) decrypt(ciphertext []byte, nonce []byte) ([]byte, error) {
+	plain, err := a.cipher.Open(nil, nonce, ciphertext, nil)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/multiplex/obfs.go b/internal/multiplex/obfs.go
index e8f3f06..d6a5e40 100644
--- a/internal/multiplex/obfs.go
+++ b/internal/multiplex/obfs.go
@@ -84,11 +84,14 @@ func MakeDeobfs(key []byte, algo Crypto) Deobfser {
 			return nil, err
 		}
 
+		outputPayload := make([]byte, len(decryptedPayload))
+		copy(outputPayload, decryptedPayload)
+
 		ret := &Frame{
 			StreamID: streamID,
 			Seq:      seq,
 			Closing:  closing,
-			Payload:  decryptedPayload,
+			Payload:  outputPayload,
 		}
 		return ret, nil
 	}