I am using AES/GCM/NoPadding
encryption in java and (I am fairly new to it). If I understand it right GCM should recognize if encrypted message was manipulated, if so it should not decrypt it. As stated in this anwser:
The authentication TAG is an input to the decryption, if someone tampered with your associated data or with your encrypted data, GCM decryption will notice this and will not output any data (or return an error and you should discard the received data without processing it)
However, in my code, if I modify encrypted message (the message part or the tag part), I do not get any errors and the message will be decrypted (It will be different of course). I do not get any errors even when I provide different key, though message will be decrypted incorrectly...
What am I doing wrong? See the code below:
The util class:
public class CryptoUtils {
public static byte[] encrypt(byte[] key, byte[] iv, byte[] input) throws GeneralSecurityException {
try {
SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");
IvParameterSpec ivspec = new IvParameterSpec(iv);
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, skeySpec, ivspec);
int outputLength = cipher.getOutputSize(input.length);
byte[] output = new byte[outputLength];
int outputOffset = cipher.update(input, 0, input.length, output, 0);
cipher.doFinal(output, outputOffset);
return output;
} catch (NoSuchAlgorithmException e) {
Timber.wtf(e);
}
return null;
}
public static byte[] decrypt(byte[] key, byte[] iv, byte[] encrypted) throws GeneralSecurityException {
try {
SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");
IvParameterSpec ivspec = new IvParameterSpec(iv);
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, skeySpec, ivspec);
return cipher.doFinal(encrypted);
} catch (NoSuchAlgorithmException e) {
Timber.wtf(e);
}
return null;
}
}
The code that throws no errors:
byte[] key = getKey();
byte[] iv = generateIv();
byte[] message = "hello".getBytes();
byte[] encrypted = CryptoUtils.encrypt(key, iv, message);
//Split decrypted message into parts.
byte[] encryptedMessage = new byte[message.length];
System.arraycopy(encrypted, 0, encryptedMessage, 0, message.length);
byte[] tag = new byte[encrypted.length - message.length];
System.arraycopy(encrypted, message.length, tag, 0, tag.length);
//I am modifying the message here.
encryptedMessage[0] = 0;
// I am also modifying the key.
key[2] = 0;
//Put message and tag together.
byte[] toDecrypt = new byte[encrypted.length];
System.arraycopy(encryptedMessage, 0, toDecrypt, 0, encryptedMessage.length);
System.arraycopy(tag, 0, toDecrypt, encryptedMessage.length, tag.length);
//Still not getting any errors here.
byte[] decrypted = CryptoUtils.decrypt(key, iv, encryptedMessage);
byte[] decryptedMessage = new byte[message.length];
System.arraycopy(decrypted, 0, decryptedMessage, 0, message.length);
//Decrypted message is different than original.
Timber.d("Decrypted message: %s", new String(decryptedMessage));