How do I decrypt AES/CCM encrypted cipher text with Bouncy Castle?

9
votes

Encryption

The encryption is done with Stanford Javascript Crypto Library (SJCL). Below is a complete encryption example divided into two parts. The first is about password based key derivation with PBKDF2. In the second part the actual encryption happens with the derived key and an initialization vector (IV). Note that salt and IV is hard coded so that it is easier to provide a C# decryption solution.

// Key derivation…
var password = "password";
var salt = sjcl.codec.hex.toBits(
    "5f9bcef98873d06a" // Random generated with sjcl.random.randomWords(2, 0);
);                     // Hex encoded with sjcl.codec.hex.toBits(randomSalt);
var iterations = 1000;
var keySize = 128;
var encryptionKey = sjcl.misc.pbkdf2(password, salt, iterations, keySize);

// Encryption…
var blockCipher = new sjcl.cipher.aes(encryptionKey);
var plainText = sjcl.codec.utf8String.toBits("secret");
var iv = sjcl.codec.hex.toBits("8291ff107e798a29");
var adata = ""; // What is adata?
var tag = 64; // What is tag? I think it is authentication strength.
var cipherText = sjcl.mode.ccm.encrypt(blockCipher, plainText, iv, adata, tag);

The value of the encryptionKey variable:

  • SJCL bit array: [ -74545279, -553931361, -1590906567, 1562838103 ]
  • Hex encoded: fb8e8781defbad9fa12cb1395d270457
  • Base64 encoded: +46Hgd77rZ+hLLE5XScEVw==

The value of the iv variable:

  • SJCL bit array: [ -2104361200, 2121894441 ]
  • Hex encoded: 8291ff107e798a29
  • Base64 encoded: gpH/EH55iik=

The value of the cipherText variable:

  • SJCL bit array: [ 1789401157, -1485204800, -440319203, 17593459146752 ]
  • Hex encoded: 6aa81845a77992c0e5c1431d4be2
  • Base64 encoded: aqgYRad5ksDlwUMdS+I=

Question

The question is:

How can I decrypt the cipher text with Bouncy Castle?

Working decryption example after help from jbtule below

using Org.BouncyCastle.Crypto.Engines;
using Org.BouncyCastle.Crypto.Modes;
using Org.BouncyCastle.Crypto.Parameters;

namespace SjclHelpers {

    public static class Encryption {

        /// <summary>Decrypts the cipher text.</summary>
        /// <param name="cipherText">The cipher text.</pararesm>
        /// <param name="key">The encryption key.</param>
        /// <param name="initializationVector">The IV.</param>
        /// <returns>The decrypted text.</returns>
        public static byte[] Decrypt(this byte[] cipherText,
            byte[] key, byte[] initializationVector) {
            var keyParameter = new KeyParameter(key);
            const int macSize = 64;
            var nonce = initializationVector;
            var associatedText = new byte [] {};
            var ccmParameters = new CcmParameters(
                keyParameter,
                macSize,
                nonce,
                associatedText);
            var ccmMode = new CcmBlockCipher(new AesFastEngine());
            var forEncryption = false;
            ccmMode.Init(forEncryption, ccmParameters);
            var plainBytes =
                new byte[ccmMode.GetOutputSize(cipherText.Length)];
            var res = ccmMode.ProcessBytes(
                cipherText, 0, cipherText.Length, plainBytes, 0);
            ccmMode.DoFinal(plainBytes, res);
            return plainBytes;
        }}}

I get a System.ArgumentException. I think it is complaining about that one of the byte arrays is to short.

Boncy Castle is available at the NuGet site at this location: http://nuget.org/packages/BouncyCastle.

About

The AES/CCM decryption solution will be part of the SjclHelpers project at CodePlex and will be released as a NuGet package.

2
c#aesbouncycastleencryption
How is the key retrieved? In my experience, if you aren't using a certificate, you may not be recovering the encryption key properly.James Black
I decode an hex encoded key. The decoding is done like this: sjclhelpers.codeplex.com/SourceControl/changeset/view/… (Test ToBytes_ValidHex_CorrectBytes). The decoding is implemented like this: sjclhelpers.codeplex.com/SourceControl/changeset/view/… (The method ToBytes(this string hex))knut
You'll need to implement PBKDF2 in C# at least to get the same key. There's an implementation in this old question if Bouncy Castle really doesn't have its own implementation, although the Java version at least seems to have a SecretKeyFactory class that'll do it.Rup
I have implemented PBKDF2 (sjclhelpers.codeplex.com/SourceControl/changeset/view/…). In this case I don't need to use PBKDF2 because I have the key that has been derived from the password in the password based key derivation. See the encryption section above. The key in hex 6aa81845a77992c0e5c1431d4be2.knut
Umm, you say your question 6aa81845a77992c0e5c1431d4be2 is the cipher text not the key?jbtule

2 Answers

2
votes

From what I can see:

  1. Nonce should be the IV.
  2. Generally you use AeadParameters instead of CcmParameters but that might still be okay, for sure don't wrap it with ParametersWithIV
  3. associateText is optional, because CCM can authenticate unencrypted data that is related to your encrypted data if you need it. You probably need an argument as it needs to be the same as sjcl adata and the method of transport could be anything.
  4. It is correct that tag and macSize are the same.
  5. DoFinal should be ccmMode.DoFinal(plainBytes, res);
  6. For security, after decryption, you should compare the last (macSize / 8) bytes of the cipherText to ccmMode.GetMac() to check the authentication.
  7. var plainBytes = new byte[ccmMode.GetOutputSize(cipherText.Length)]
1
votes

You cannot decrypt sjcl JSON with Bouncy Castle. Because SJCL's pre-computed table is different from Bouncy Castle's one. I made own library. If you still looking for decrypting solution, have a try. https://github.com/mebius1080p/SJCLDecryptor