Open stevenspiel opened 1 year ago
Update: when I remove the mac comparison (lines 133-135), the decryption works as expected.
Can you provide a minimal example of your encryption and decryption code where the issue occurs?
here's the decryption. Working on getting the encryption example:
import 'dart:convert';
import 'package:cryptography/cryptography.dart';
void main() async {
final _symmetricAlgorithm = AesGcm.with256bits();
final hkdf = Hkdf(
hmac: Cryptography.instance.hmac(Sha256()),
outputLength: 32,
);
final key = 'ryUDXJiLUCOboYbmuG87nTIi+to1IPgJy6/hQZmr6A4=';
final masterKey = SecretKeyData(base64Decode(key));
final nonce = utf8.encode('storage_context');
final encryptedWordsMap = {
"iv": "ZfSMjhYIGgA9Ncti",
"ciphertext": "unqsCRdKhNYrPlqpY+9uFcZTxIWUxEP7c6fb9lagcOU=",
"mac": "bw6FRVKS/VMZfx8ABb4v2Q==",
};
final encryptedWordsBox = SecretBox(
base64Decode(encryptedWordsMap['ciphertext'] as String),
nonce: base64Decode(encryptedWordsMap['iv'] as String),
mac: Mac(base64Decode(encryptedWordsMap['mac'] as String)),
);
final plaintext = await _symmetricAlgorithm.decrypt(
encryptedWordsBox,
secretKey: await hkdf.deriveKey(secretKey: masterKey, nonce: nonce),
);
print(plaintext);
}
I'm experiencing the same issue.
I have debugged aes_gcm.dart
in the lines pointed by @stevenspiel and the mac I get from the SecretBox
when encrypting with encryptString
and the bytes are indeed different. Also verified the mac received by the method (not the calculated one) is the same mac that I got from my SecretBox.
Flutter version: 3.7.8 Packages: cryptography: ^2.5.0 cryptography_flutter: ^2.3.0
Here is my flutter doctor:
Doctor summary (to see all details, run flutter doctor -v): [✓] Flutter (Channel stable, 3.7.8, on macOS 13.4 22F66 darwin-arm64, locale en-UY) [✓] Android toolchain - develop for Android devices (Android SDK version 33.0.2) [✓] Xcode - develop for iOS and macOS (Xcode 14.3) [✓] Chrome - develop for the web [✓] Android Studio (version 2022.2) [✓] VS Code (version 1.78.2) [✓] Connected device (3 available) [✓] HTTP Host Availability
• No issues found!
Should we follow any steps in order to create a SecretBox
and Mac
from bytes?
I'm doing it this way (also tried without converting the bytes list to UInt8List)
final mac = Mac(Uint8List.fromList(encryptedMessage.mac));
return SecretBox(
encryptedMessage.message,
nonce: encryptedMessage.nonce,
mac: mac,
);
Mac bytes from the SecretBox
obtained from encryptString
method: [212,112,100,80,198,148,209,212,53,47,209,41,92,167,20,129]
Mac bytes recreated by the code I shared in my last comment: [212,112,100,80,198,148,209,212,53,47,209,41,92,167,20,129]
Mac received by decryptSync
:
[212,112,100,80,198,148,209,212,53,47,209,41,92,167,20,129]
Calculated mac: [173,138,245,156,141,162,54,188,244,172,26,3,99,100,127,48]
Even when passing the same SecretBox
directly from encrypt
to decrypt
, I get the same scenario.
If it helps, I'm using X25519
to create the keys with the following code:
final keys = await _keyExchange.newKeyPair();
final publicKey = await keys.extractPublicKey();
final secretKey = await keys.extractPrivateKeyBytes();
I tried decrypting in the same method I encrypted (the only difference seems to be the sharedKey) and it worked.
Could it be the error gets thrown when the key is wrong?
This is the working code:
final sharedSecretKey = await _getSharedSecret(
remotePublicKeyBytes: receiverPublicKeyBytes,
userPublicKeyBytes: userPublicKeyBytes,
);
final encryptedData = await _cipher.encryptString(
text,
secretKey: sharedSecretKey,
);
final data = encryptedData.concatenation();
final newData = SecretBox(
encryptedData.cipherText,
nonce: encryptedData.nonce,
mac: encryptedData.mac,
);
final decrypted = await _cipher.decryptString(
newData,
secretKey: sharedSecretKey,
);
return data.toList();
Doing the same but trying to recover the sharedSecret from the other end (message receiver user) throws the MAC error
@stevenspiel your encrypted data also fails to decrypt when I tested with C#/NSec which probably means something went wrong when encrypting.
@fedper95 yes, an incorrect key will result in a failed decryption and different mac. In your example you're using two public keys for the shared secret, I don't know what exactly you do in _getSharedSecret
, but you need a private key for the key agreement.
```dart
import 'package:cryptography/cryptography.dart';
Future
The encryption was done using 2.0.5. I see some comments about 2.2.0 fixing the issue
https://github.com/dint-dev/cryptography/issues/71#issuecomment-1454032380 https://github.com/dint-dev/cryptography/issues/85#issuecomment-1454073718
1) What exactly changed in 2.2.0 that fixed this? 2) Is there any way to recover faulty encryption done with 2.0.5 (other than bypassing the hmac check)?
I don't know what changed in 2.2.0 but if the mac was calculated incorrectly there is not much you can do other than bypassing the check somehow I think.
If it really is just the mac that is incorrect and you can recover the plaintext by bypassing the hmac check you could also just use Aes-Ctr with a modified nonce and an empty hmac (see here for more details https://stackoverflow.com/questions/49228671/aes-gcm-decryption-bypassing-authentication-in-java/49244840#49244840) - but please note: just because it decrypts does not necessarily mean you get the correct plaintext - you also don't know if your key was correct or not and you should really know what you are doing if you go this route. I quickly tried it out yesterday, so if you need an example of that I can post one later.
If there was however also an error with the ciphertext and you can't decrypt it even with old versions I fear the data is likely lost. Please note, I'm not an expert on this and might be wrong.
This issue reoccured in ^2.7.0
I know other issues have been opened similar to this one, and the response is that it should be fixed in 2.2.0, however, users are still experiencing it on 2.2.0 and 2.5.0.
Here is a breakpoint in
aes_gcm.dart
where the exception is getting raised.The
mac
andcalculatedMac
are different, which is throwing the error. What else could be causing this issue?