"Unsupported state or unable to authenticate data" with aes-128-gcm in Node

Question

I'm trying to implement encrypt/decrypt functions using aes-128-gcm as provided by node crypto. From my understanding, gcm encrypts the ciphertext but also hashes it and provides this as an 'authentication tag'. However, I keep getting the error: "Unsupported state or unable to authenticate data".

I'm not sure if this is an error in my code - looking at the encrypted ciphertext and auth tag, the one being fetched by the decrypt function is the same as the one produced by the encrypt function.

    function encrypt(plaintext) {
    // IV is being generated for each encryption
    var iv = crypto.randomBytes(12),
        cipher = crypto.createCipheriv(aes,key,iv),
        encryptedData = cipher.update(plaintext),
        tag;

    // Cipher.final has been called, so no more encryption/updates can take place
    encryptedData += cipher.final();

    // Auth tag must be generated after cipher.final()
    tag = cipher.getAuthTag();

    return encryptedData + "$$" + tag.toString('hex') + "$$" + iv.toString('hex');
}

function decrypt(ciphertext) {
    var cipherSplit = ciphertext.split("$$"),
        text = cipherSplit[0],
        tag = Buffer.from(cipherSplit[1], 'hex'),
        iv = Buffer.from(cipherSplit[2], 'hex'),
        decipher = crypto.createDecipheriv(aes,key,iv);

    decipher.setAuthTag(tag);

    var decryptedData = decipher.update(text);

    decryptedData += decipher.final();
}

The error is being thrown by decipher.final().

Evgeny Melnikov · Answer 1 · 2023-08-14T09:56:34.247

In case if someone still tries to get a working example of encryption and decryption process.

I've left some comments that should be taken into consideration.

import * as crypto from 'crypto';

const textToEncode = 'some secret text'; // utf-16
const algo = 'aes-128-gcm';

// Key bytes length depends on algorithm being used:
// 'aes-128-gcm' = 16 bytes
// 'aes-192-gcm' = 24 bytes
// 'aes-256-gcm' = 32 bytes
const key = crypto.randomBytes(16);

const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv(algo, key, iv);

const encrypted = Buffer.concat([
  cipher.update(Buffer.from(textToEncode, 'utf-8')),
  cipher.final(),
]);

const authTag = cipher.getAuthTag();

console.info('Value encrypted', {
  valueToEncrypt: textToEncode,
  encryptedValue: encrypted.toString('hex'),
  authTag: authTag.toString('hex'),
});

// It's important to use the same authTag and IV that were used during encoding
const decipher = crypto.createDecipheriv(algo, key, iv);
decipher.setAuthTag(authTag);

const decrypted = Buffer.concat([
  decipher.update(encrypted),
  decipher.final(),
]);

console.info('Value decrypted', {
  valueToDecrypt: encrypted.toString('hex'),
  decryptedValue: decrypted.toString('utf-8'),
});

I think JS defaults to UTF16 for strings, so your line of code `const textToEncode = 'some secret text'; // utf-8` should say `//utf16` right? — Ronnie Royston, Aug 11 '23 at 20:29
@RonnieRoyston Thanks for the comment. Yes, you are right. I've edited the comment — Evgeny Melnikov, Aug 14 '23 at 09:57
this saved my skin - I wasn't using the auth tag and couldn't figure it out from the documentation. You are my saviour!!! — automaticAllDramatic, Aug 14 '23 at 19:14

Vanita · Accepted Answer · 2022-12-21T16:43:42.047

I managed to fix this: the issue was that I wasn't specifying an encoding type for cipher.final() and I was returning it within a String, so it wasn't returning a Buffer object, which decipher.final() was expecting.

To fix, I add 'utf-8' to 'hex' encoding parameters within my cipher.update and cipher.final, and vice versa in decipher.

Edited to add code example - note this is from 2018, so may be outdated now.

function encrypt(plaintext) {
    // IV is being generated for each encryption
    var iv = crypto.randomBytes(12),
        cipher = crypto.createCipheriv(aes,key,iv),
         encryptedData = cipher.update(plaintext, 'utf-8', 'hex'),
        tag;

    // Cipher.final has been called, so no more encryption/updates can take place
     encryptedData += cipher.final('hex');

    // Auth tag must be generated after cipher.final()
    tag = cipher.getAuthTag();

    return encryptedData + "$$" + tag.toString('hex') + "$$" + iv.toString('hex');
}

function decrypt(ciphertext) {
    var cipherSplit = ciphertext.split("$$"),
        text = cipherSplit[0],
         tag = Buffer.from(cipherSplit[1], 'hex'),
            iv = Buffer.from(cipherSplit[2], 'hex'),
            decipher = crypto.createDecipheriv(aes, key, iv);


    decipher.setAuthTag(tag);

    var decryptedData = decipher.update(text, 'hex', 'utf-8');

   decryptedData += decipher.final('utf-8');
}

If you're using GCM or similar make sure to set the authTag https://stackoverflow.com/questions/53269132/aes-256-gcm-encryption-decryption-in-nodejs — Mathspy, Aug 13 '21 at 15:03
@HenockBongi I've added a code example now. Note this project is from 2018, so the code may now be outdated if the library has been updated. — Vanita, Dec 21 '22 at 16:44

"Unsupported state or unable to authenticate data" with aes-128-gcm in Node

2 Answers2

Linked