SecretBoxAuthenticationError SecretBox has wrong HMAC

[stevenspiel]

I know other issues have been opened similar to this one, and the response is that it should be fixed in 2.2.0, however, users are still experiencing it on 2.2.0 and 2.5.0.

Here is a breakpoint in aes_gcm.dart where the exception is getting raised.

The mac and calculatedMac are different, which is throwing the error. What else could be causing this issue?

[stevenspiel]

Update: when I remove the mac comparison (lines 133-135), the decryption works as expected.

[akecht]

Can you provide a minimal example of your encryption and decryption code where the issue occurs?

[stevenspiel]

here's the decryption. Working on getting the encryption example:

import 'dart:convert';

import 'package:cryptography/cryptography.dart';

void main() async {
  final _symmetricAlgorithm = AesGcm.with256bits();
  final hkdf = Hkdf(
    hmac: Cryptography.instance.hmac(Sha256()),
    outputLength: 32,
  );

  final key = 'ryUDXJiLUCOboYbmuG87nTIi+to1IPgJy6/hQZmr6A4=';
  final masterKey = SecretKeyData(base64Decode(key));
  final nonce = utf8.encode('storage_context');

  final encryptedWordsMap = {
    "iv": "ZfSMjhYIGgA9Ncti",
    "ciphertext": "unqsCRdKhNYrPlqpY+9uFcZTxIWUxEP7c6fb9lagcOU=",
    "mac": "bw6FRVKS/VMZfx8ABb4v2Q==",
  };
  final encryptedWordsBox = SecretBox(
    base64Decode(encryptedWordsMap['ciphertext'] as String),
    nonce: base64Decode(encryptedWordsMap['iv'] as String),
    mac: Mac(base64Decode(encryptedWordsMap['mac'] as String)),
  );
  final plaintext = await _symmetricAlgorithm.decrypt(
    encryptedWordsBox,
    secretKey: await hkdf.deriveKey(secretKey: masterKey, nonce: nonce),
  );

  print(plaintext);
}

[fedper95]

I'm experiencing the same issue.

I have debugged aes_gcm.dart in the lines pointed by @stevenspiel and the mac I get from the SecretBox when encrypting with encryptString and the bytes are indeed different. Also verified the mac received by the method (not the calculated one) is the same mac that I got from my SecretBox.

Flutter version: 3.7.8 Packages: cryptography: ^2.5.0 cryptography_flutter: ^2.3.0

Here is my flutter doctor:

Doctor summary (to see all details, run flutter doctor -v): [✓] Flutter (Channel stable, 3.7.8, on macOS 13.4 22F66 darwin-arm64, locale en-UY) [✓] Android toolchain - develop for Android devices (Android SDK version 33.0.2) [✓] Xcode - develop for iOS and macOS (Xcode 14.3) [✓] Chrome - develop for the web [✓] Android Studio (version 2022.2) [✓] VS Code (version 1.78.2) [✓] Connected device (3 available) [✓] HTTP Host Availability

• No issues found!

---

[fedper95]

Should we follow any steps in order to create a SecretBox and Mac from bytes?

I'm doing it this way (also tried without converting the bytes list to UInt8List)

final mac = Mac(Uint8List.fromList(encryptedMessage.mac));

    return SecretBox(
      encryptedMessage.message,
      nonce: encryptedMessage.nonce,
      mac: mac,
    );

[fedper95]

Mac bytes from the SecretBox obtained from encryptString method: [212,112,100,80,198,148,209,212,53,47,209,41,92,167,20,129]

Mac bytes recreated by the code I shared in my last comment: [212,112,100,80,198,148,209,212,53,47,209,41,92,167,20,129]

Mac received by decryptSync: [212,112,100,80,198,148,209,212,53,47,209,41,92,167,20,129]

Calculated mac: [173,138,245,156,141,162,54,188,244,172,26,3,99,100,127,48]

[fedper95]

Even when passing the same SecretBox directly from encrypt to decrypt, I get the same scenario.

If it helps, I'm using X25519 to create the keys with the following code:

final keys = await _keyExchange.newKeyPair();
final publicKey = await keys.extractPublicKey();
final secretKey = await keys.extractPrivateKeyBytes();

[fedper95]

I tried decrypting in the same method I encrypted (the only difference seems to be the sharedKey) and it worked.

Could it be the error gets thrown when the key is wrong?

This is the working code:

final sharedSecretKey = await _getSharedSecret(
      remotePublicKeyBytes: receiverPublicKeyBytes,
      userPublicKeyBytes: userPublicKeyBytes,
    );

    final encryptedData = await _cipher.encryptString(
      text,
      secretKey: sharedSecretKey,
    );

    final data = encryptedData.concatenation();

    final newData = SecretBox(
      encryptedData.cipherText,
      nonce: encryptedData.nonce,
      mac: encryptedData.mac,
    );
    final decrypted = await _cipher.decryptString(
      newData,
      secretKey: sharedSecretKey,
    );

    return data.toList();

Doing the same but trying to recover the sharedSecret from the other end (message receiver user) throws the MAC error

[akecht]

@stevenspiel your encrypted data also fails to decrypt when I tested with C#/NSec which probably means something went wrong when encrypting.

@fedper95 yes, an incorrect key will result in a failed decryption and different mac. In your example you're using two public keys for the shared secret, I don't know what exactly you do in _getSharedSecret, but you need a private key for the key agreement.

X25519 example code

```dart import 'package:cryptography/cryptography.dart'; Future main() async { final algorithm = X25519(); // Alice chooses her key pair final aliceKeyPair = await algorithm.newKeyPair(); // Alice knows Bob's public key final bobKeyPair = await algorithm.newKeyPair(); final bobPublicKey = await bobKeyPair.extractPublicKey(); // Alice calculates the shared secret. final sharedSecret = await algorithm.sharedSecretKey( keyPair: aliceKeyPair, remotePublicKey: bobPublicKey, ); final sharedSecretBytes = await sharedSecret.extractBytes(); print('Shared secret: $sharedSecretBytes'); } ```

[stevenspiel]

The encryption was done using 2.0.5. I see some comments about 2.2.0 fixing the issue

https://github.com/dint-dev/cryptography/issues/71#issuecomment-1454032380 https://github.com/dint-dev/cryptography/issues/85#issuecomment-1454073718

1) What exactly changed in 2.2.0 that fixed this? 2) Is there any way to recover faulty encryption done with 2.0.5 (other than bypassing the hmac check)?

[akecht]

I don't know what changed in 2.2.0 but if the mac was calculated incorrectly there is not much you can do other than bypassing the check somehow I think.

If it really is just the mac that is incorrect and you can recover the plaintext by bypassing the hmac check you could also just use Aes-Ctr with a modified nonce and an empty hmac (see here for more details https://stackoverflow.com/questions/49228671/aes-gcm-decryption-bypassing-authentication-in-java/49244840#49244840) - but please note: just because it decrypts does not necessarily mean you get the correct plaintext - you also don't know if your key was correct or not and you should really know what you are doing if you go this route. I quickly tried it out yesterday, so if you need an example of that I can post one later.

If there was however also an error with the ciphertext and you can't decrypt it even with old versions I fear the data is likely lost. Please note, I'm not an expert on this and might be wrong.

[Nialixus]

This issue reoccured in ^2.7.0