Using (and specifying) 128-bit authentication tag for future AES(-GCM) encryption. Supports legacy format with unspecified tag length for decryption.

thesquaregroot · thesquaregroot · commit 7462310454c3 · 2020-07-06T12:09:49.000-04:00
diff --git a/src/main/java/com/softwareverde/cryptography/aes/AesKey.java b/src/main/java/com/softwareverde/cryptography/aes/AesKey.java
@@ -19,6 +19,8 @@ public class AesKey {
 
     private static final String KEY_ALGORITHM = "AES";
     private static final String ENCRYPTION_CIPHER = "AES/GCM/NoPadding"; // Using GCM instead of CBC as it provides authentication
+    private static final int LEGACY_AUTHENTICATION_TAG_LENGTH = 12; // default is tag length is not specified
+    private static final int AUTHENTICATION_TAG_LENGTH = 16; // max allowed value
     private static final int INITIALIZATION_VECTOR_LENGTH = 12; // IV size of 12-bytes is specifically recommended for AES-GCM (more efficient than other lengths)
 
     private SecretKey _key;
@@ -77,13 +79,14 @@ public byte[] encrypt(byte[] plainText) {
         try {
             final Cipher aesCipher = Cipher.getInstance(ENCRYPTION_CIPHER);
             final byte[] initializationVectorBytes = _createInitializationVector();
-            final AlgorithmParameterSpec initializationVector = new GCMParameterSpec(initializationVectorBytes.length * Byte.SIZE, initializationVectorBytes);
+            final AlgorithmParameterSpec initializationVector = new GCMParameterSpec(AUTHENTICATION_TAG_LENGTH * Byte.SIZE, initializationVectorBytes);
             aesCipher.init(Cipher.ENCRYPT_MODE, _key, initializationVector);
             final byte[] cipherText = aesCipher.doFinal(plainText);
 
             // prefix cipher text with initialization vector
             final ByteArrayBuilder byteArrayBuilder = new ByteArrayBuilder();
-            byteArrayBuilder.appendByte((byte) initializationVectorBytes.length);
+            byteArrayBuilder.appendByte((byte) (0x80 | initializationVectorBytes.length));
+            byteArrayBuilder.appendByte((byte) AUTHENTICATION_TAG_LENGTH);
             byteArrayBuilder.appendBytes(initializationVectorBytes);
             byteArrayBuilder.appendBytes(cipherText);
 
@@ -100,10 +103,17 @@ public byte[] encrypt(byte[] plainText) {
     public byte[] decrypt(byte[] cipherText) {
         try {
             // remove initialization vector from cipher text
-            final byte initializationVectorLength = cipherText[0];
-            final int cipherTextOffset = ByteUtil.byteToInteger(initializationVectorLength) + 1;
-            final byte[] initializationVectorBytes = Arrays.copyOfRange(cipherText, 1, cipherTextOffset);
-            final AlgorithmParameterSpec initializationVector = new GCMParameterSpec(initializationVectorLength * Byte.SIZE, initializationVectorBytes);
+            byte initializationVectorLength = cipherText[0];
+            int authenticationTagLength = LEGACY_AUTHENTICATION_TAG_LENGTH;
+            int ivStartIndex = 1;
+            if ((initializationVectorLength & 0x80) != 0) {
+                initializationVectorLength = (byte) (initializationVectorLength ^ 0x80);
+                authenticationTagLength = cipherText[1];
+                ivStartIndex = 2;
+            }
+            int cipherTextOffset = ByteUtil.byteToInteger(initializationVectorLength) + ivStartIndex;
+            final byte[] initializationVectorBytes = Arrays.copyOfRange(cipherText, ivStartIndex, cipherTextOffset);
+            final AlgorithmParameterSpec initializationVector = new GCMParameterSpec(authenticationTagLength * Byte.SIZE, initializationVectorBytes);
             final byte[] encryptedData = Arrays.copyOfRange(cipherText, cipherTextOffset, cipherText.length);
 
             final Cipher aesCipher = Cipher.getInstance(ENCRYPTION_CIPHER);
diff --git a/src/test/java/com/softwareverde/cryptography/aes/AesKeyTests.java b/src/test/java/com/softwareverde/cryptography/aes/AesKeyTests.java
@@ -1,6 +1,7 @@
 package com.softwareverde.cryptography.aes;
 
 import com.softwareverde.constable.bytearray.MutableByteArray;
+import com.softwareverde.util.HexUtil;
 import com.softwareverde.util.StringUtil;
 import com.softwareverde.util.Util;
 import org.junit.Assert;
@@ -40,4 +41,32 @@ public void should_encrypt_and_decrypt_binary_data() throws IOException {
         Assert.assertFalse(Util.areEqual(encryptedData, decryptedData));
         Assert.assertTrue(Util.areEqual(data, decryptedData));
     }
+
+    @Test
+    public void should_perform_legacy_decryption_with_implied_authentication_tag_length() {
+        // Setup
+        final AesKey aesKey = new AesKey(HexUtil.hexStringToByteArray("943CBFA720FA5B76BC8C31CDB618E166221AE8644D3B00F567C77EA4DBD7D9AA"));
+        final MutableByteArray data = MutableByteArray.wrap(StringUtil.stringToBytes("Test"));
+        final byte[] cipherText = HexUtil.hexStringToByteArray("0C9550E3017B60CEFB003B4E54A026DFC7533DC92F229CB78D63B42021");
+
+        // Action
+        final byte[] decryptedData = aesKey.decrypt(cipherText);
+
+        // Assert
+        Assert.assertTrue(Util.areEqual(data, decryptedData));
+    }
+
+    @Test
+    public void should_perform_decryption_with_specified_authentication_tag_length() {
+        // Setup
+        final AesKey aesKey = new AesKey(HexUtil.hexStringToByteArray("8AB983E6F8E71519D2B683E564047A7D8CD27E2DC8D6C3DED0C41CA1B1BB8287"));
+        final MutableByteArray data = MutableByteArray.wrap(StringUtil.stringToBytes("Test"));
+        final byte[] cipherText = HexUtil.hexStringToByteArray("8C10E19046F0A887F4893C04E28398CDD7F00522E8BB9D96B2B0B1D7ED080E7E8D7A");
+
+        // Action
+        final byte[] decryptedData = aesKey.decrypt(cipherText);
+
+        // Assert
+        Assert.assertTrue(Util.areEqual(data, decryptedData));
+    }
 }
