4

I am working on a project for my Java programming class to create a password manager, and I am working on encrypting and decrypting my passwords.

I have the encryption piece working fine, but I keep getting an javax.crypto.AEADBadTagException: Tag mismatch! error.

Here is the full error:

Exception in thread "main" javax.crypto.AEADBadTagException: Tag mismatch! at java.base/com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:580) at java.base/com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1116) at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1053) at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) at java.base/com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446) at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202) at PasswordVault.Decrypt(PasswordVault.java:89) at PasswordVault.main(PasswordVault.java:27)

I've been trying to figure out this error on my own through researching here, but I am not having much luck or understanding about what is going wrong.

This is my main class:

import java.io.UnsupportedEncodingException;
import java.security.*;
import java.util.ArrayList;
import java.util.Scanner;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import java.util.Base64;

public class PasswordVault {
    private static ArrayList<Password> passwordVault;
    public Scanner keyboard = new Scanner(System.in);
    public String website;
    public String username;
    private String password;
    private SecretKey key;

public static void main(String[] args) throws IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, NoSuchPaddingException, UnsupportedEncodingException, InvalidKeyException, NoSuchProviderException, InvalidAlgorithmParameterException {
    passwordVault = new ArrayList<>();
    addPassword();
    System.out.println(passwordVault);
    //byte [] passwordByte = passwordVault.get(0).getPassword().getBytes();
    System.out.println(Decrypt(passwordVault.get(0).getPassword(),generateKey()));
}


public static void addPassword() throws NoSuchPaddingException, BadPaddingException, NoSuchAlgorithmException, IllegalBlockSizeException, UnsupportedEncodingException, InvalidKeyException, NoSuchProviderException, InvalidAlgorithmParameterException {
    Scanner keyboard = new Scanner(System.in);
    String website;
    String username;
    String password;
    SecretKey key = null;

    System.out.println("Please enter in the website that you would like to store a password:");
    website = keyboard.nextLine();
    System.out.println("Please enter your username");
    username = keyboard.nextLine();
    System.out.println("Please enter your password");
    password = keyboard.nextLine();
    key = generateKey();
    savePassword(website,username,password,key);
}

private static ArrayList<Password>savePassword(String website, String username, String password, SecretKey key) throws IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, NoSuchPaddingException, UnsupportedEncodingException, InvalidKeyException, NoSuchProviderException, InvalidAlgorithmParameterException {
    String encryptedPassword;
    encryptedPassword = Encrypt(password,key);
    String stringEncryptedPassword = new String(encryptedPassword);
    Password savePass = new Password(website, username, stringEncryptedPassword);
    passwordVault.add(savePass);
    return passwordVault;
}

public static SecretKey generateKey() throws NoSuchPaddingException, NoSuchAlgorithmException {
    SecureRandom random = SecureRandom.getInstanceStrong();
    KeyGenerator keyGen = KeyGenerator.getInstance("AES");
    keyGen.init(128, random);
    SecretKey key = keyGen.generateKey();
    return key;
}
private static String Encrypt(String password, SecretKey key) throws UnsupportedEncodingException, NoSuchPaddingException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException, InvalidKeyException, InvalidAlgorithmParameterException, NoSuchProviderException {
    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "SunJCE");
    byte[] iv = new byte[12];
    SecureRandom random = SecureRandom.getInstanceStrong();
    random.nextBytes(iv);
    GCMParameterSpec spec = new GCMParameterSpec(128, iv);
    cipher.init(Cipher.ENCRYPT_MODE, key, spec);
    byte [] bytePassword = password.getBytes("UTF-8");
    byte [] encryptedPassword = cipher.doFinal(bytePassword);
    /*Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
    cipher.init(Cipher.ENCRYPT_MODE, key);
    byte [] bytePassword = password.getBytes("UTF-8");
    byte [] encryptedPassword = cipher.doFinal(bytePassword);
    return Base64.getEncoder().encodeToString(encryptedPassword);*/
    //return encryptedPassword;
    return Base64.getEncoder().encodeToString(encryptedPassword);
}

private static String Decrypt(String password, SecretKey key) throws UnsupportedEncodingException, NoSuchPaddingException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException, InvalidKeyException, NoSuchProviderException, InvalidAlgorithmParameterException {
    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "SunJCE");
    byte[] iv = new byte[12];
    SecureRandom random = SecureRandom.getInstanceStrong();
    random.nextBytes(iv);
    GCMParameterSpec spec = new GCMParameterSpec(128, iv);
    cipher.init(Cipher.DECRYPT_MODE, key, spec);
    return new String(cipher.doFinal(Base64.getDecoder().decode(password)));
}
//byte [] byteDecryptPassword = cipher.doFinal(password);
// String newPassword = new String(password, "UTF-8");
//Cipher cipher = null;
//cipher = Cipher.getInstance("AES/GCM/NoPadding");
//cipher.init(Cipher.DECRYPT_MODE, key);
    /*byte [] bytePassword = new byte[0];
    bytePassword = password.getBytes("UTF-8");
    byte [] encryptedPassword = new byte[0];
    encryptedPassword = cipher.doFinal(bytePassword);*/

}

This is my Password object:

public class Password {
    String website;
    String login;
    String password;

public Password(String website, String login, String password) {
    this.website = website;
    this.login = login;
    this.password = password;
}

public String getWebsite() {
    return website;
}

public void setWebsite(String website) {
    this.website = website;
}

public String getLogin() {
    return login;
}

public void setLogin(String login) {
    this.login = login;
}

public String getPassword() {
    return password;
}

public void setPassword(String password) {
    this.password = password;
}

@Override
public String toString(){
    return "Website: " + website + " Login: " + login + " Password: " + password;
}


}

What I am hoping to get right now with my tests is a decrypted plain text version of the password that I enter in. Right now, I just keep getting this BadTag issue.

Any help is greatly appreciated.

Perdue
  • 479
  • 9
  • 19
  • I cannot test the code now, but your first problem is the IV. You must transmit / store the IV, too. There is a nice example [here](https://proandroiddev.com/security-best-practices-symmetric-encryption-with-aes-in-java-7616beaaade9) about how to prepend the IV. – kelalaka Apr 24 '19 at 19:26
  • Actually, since the IV is definitely part of the calculation of the tag, this is probably *the* problem. – Maarten Bodewes Apr 24 '19 at 20:43
  • Nope, a random key for decryption also doesn't work well. – Maarten Bodewes Apr 24 '19 at 21:09

2 Answers2

5

Just to give you some idea on how you could program this, let's show you a new PasswordVault.

Your own new code fragment also works of course, currently sidesteps the required design for password storage; it is a generic GCM example which doesn't store the IV, doesn't have the vault and so on (which is probably a good idea to start off with if you cannot get GCM to work).

Note that the following code fragment is still not a secure vault, but it shows how to program the vault in an OO-fashion.

import static java.nio.charset.StandardCharsets.UTF_8;

import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Scanner;

import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;

public class PasswordVault {
    private static final int KEY_SIZE_BITS = 128;
    private static final int GCM_TAG_SIZE_BITS = 128;
    private static final int GCM_IV_SIZE_BYTES = 12;
    private ArrayList<PasswordEntry> vaultBoxes;
    private SecretKey key;

    public PasswordVault() throws NoSuchAlgorithmException {
        vaultBoxes = new ArrayList<>();
        key = generateKey();
    }

    public void encryptAndStorePasswordEntry(PasswordEntry passwordEntry) throws GeneralSecurityException {
        String encryptedPassword = encrypt(passwordEntry.getPassword(), key);
        PasswordEntry savePass = new PasswordEntry(passwordEntry.getWebsite(), passwordEntry.getLogin(),
                encryptedPassword);
        vaultBoxes.add(savePass);
    }

    public PasswordEntry retrieveAndDecryptPasswordEntry() throws GeneralSecurityException {
        // TODO think of a way to retrieve the password for a specific entry
        PasswordEntry encryptedPasswordEntry = vaultBoxes.get(0);
        String password = decrypt(encryptedPasswordEntry.getPassword(), key);
        return new PasswordEntry(encryptedPasswordEntry.getWebsite(), encryptedPasswordEntry.getLogin(), password);
    }

    public static SecretKey generateKey() throws NoSuchAlgorithmException {
        SecureRandom random = SecureRandom.getInstanceStrong();
        KeyGenerator keyGen = KeyGenerator.getInstance("AES");
        keyGen.init(KEY_SIZE_BITS, random);
        return keyGen.generateKey();
    }

    public static String encrypt(String password, SecretKey key) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");

        byte[] iv = generateRandomIV();

        GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_SIZE_BITS, iv);
        cipher.init(Cipher.ENCRYPT_MODE, key, spec);

        byte[] bytePassword = password.getBytes(UTF_8);
        byte[] ivCTAndTag = new byte[GCM_IV_SIZE_BYTES + cipher.getOutputSize(bytePassword.length)];
        System.arraycopy(iv, 0, ivCTAndTag, 0, GCM_IV_SIZE_BYTES);

        cipher.doFinal(bytePassword, 0, bytePassword.length, ivCTAndTag, GCM_IV_SIZE_BYTES);
        
        return Base64.getEncoder().encodeToString(ivCTAndTag);
    }

    private static byte[] generateRandomIV() {
        byte[] iv = new byte[GCM_IV_SIZE_BYTES];
        SecureRandom random = new SecureRandom();
        random.nextBytes(iv);
        return iv;
    }

    public static String decrypt(String encryptedPassword, SecretKey key) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");

        byte[] ivAndCTWithTag = Base64.getDecoder().decode(encryptedPassword);

        GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_SIZE_BITS, ivAndCTWithTag, 0, GCM_IV_SIZE_BYTES);
        cipher.init(Cipher.DECRYPT_MODE, key, spec);
        
        byte[] plaintext = cipher.doFinal(ivAndCTWithTag, GCM_IV_SIZE_BYTES, ivAndCTWithTag.length - GCM_IV_SIZE_BYTES);
        
        return new String(plaintext, UTF_8);
    }

    public static void main(String[] args) throws Exception {
        PasswordVault vault = new PasswordVault();
        PasswordEntry passwordEntry = readPlainPasswordEntry();
        vault.encryptAndStorePasswordEntry(passwordEntry);
        System.out.println(vault.vaultBoxes);
        PasswordEntry decryptedPasswordEntry = vault.retrieveAndDecryptPasswordEntry();
        System.out.println(decryptedPasswordEntry);
    }

    public static PasswordEntry readPlainPasswordEntry() {
        try (Scanner keyboard = new Scanner(System.in)) {
            System.out.println("Please enter in the website that you would like to store a password:");
            String website = keyboard.nextLine();
            System.out.println("Please enter your username");
            String login = keyboard.nextLine();
            System.out.println("Please enter your password");
            String password = keyboard.nextLine();

            return new PasswordEntry(website, login, password);
        }
    }
}

As you will see, I've renamed quite a lot of variables as well and introduced multiple constants. I've made the vault one object with state, which consists of the key and the secure entries.

Of course, in the end you want to serialize the vault to store the encrypted values without the key, which must be stored / retrieved / derived from somewhere else. You don't want to mix retrieving the password and storing the password entries (which I've renamed, because a website and login is not part of a password).

I've also simplified the exception handling and String handling (if you ever perform new String(string) then you might be surprised that it consists of return string; internally). To handle crypto exceptions well, take a look at this answer of mine.

OK, hopefully this helps you along. Good luck with the rest of it.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • 1
    You should not create a new cipher instance per encryption/decryption. You also should have a constant random instead of creating a new one for each use. – OughtToPrevail Apr 27 '19 at 14:47
  • Probably, although the performance benefit is rather minimal (subkey derivation doesn't take that much time, and the state is minimal as well) . It would however let you store the key inside the `Cipher` rather than outside of it. This is still a refactor of the original code in the end. – Maarten Bodewes Apr 27 '19 at 15:08
  • Thanks @MaartenBodewes ! I like what you have done with my code to put more of an OO-fashion to it. Do you have any ideas as far as how to make this a bit more secure since I want to play with it some more after my class is over? – Perdue Apr 28 '19 at 16:00
  • Well, the most interesting question with cryptography is always how to secure the key that is used to encrypt the data (which, in itself, is part of *key management*). You could try using a (system) key store, for instance. Or think of things to do if you want to change the key. How to add other encrypted data to an entry. I think that we already mentioned password destruction (`char[]` instead of string) after encryption. OughtToPrevail is correct, you could use `Cipher` as a field *instead* of the key. – Maarten Bodewes Apr 28 '19 at 16:20
  • Snafu, the cipher class doesn't let you initialize without the key - I forgot that little detail. So you do need to keep the key field. Personally, I think that is an API mistake. – Maarten Bodewes Apr 28 '19 at 19:25
  • @MaartenBodewes Our req is to store the encrypted password in DB and then get that and decrypt and send it back to the client while decrypting we are getting BadTagException. How can we solve the issue? – Shankar Nov 19 '19 at 10:24
0

I actually figured out the solution to my program. I had to end up refactoring things because I think I kept resetting my iv, which would cause a type mismatch.

Here is my finished and working code:

import javax.crypto.*;
import javax.crypto.spec.GCMParameterSpec;
import java.io.UnsupportedEncodingException;
import java.security.*;
import java.util.ArrayList;
import java.util.Scanner;

public class TestPasswordVault {
private static ArrayList<Password> passwordVault;
public Scanner keyboard = new Scanner(System.in);
public String website;
public String username;
private String password;
private static SecretKey key;

public static void main(String[] args) throws UnsupportedEncodingException, NoSuchPaddingException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException, InvalidKeyException, InvalidAlgorithmParameterException, NoSuchProviderException {
    String test = "kittens";
    SecureRandom random = SecureRandom.getInstanceStrong();
    KeyGenerator keyGen = KeyGenerator.getInstance("AES");
    keyGen.init(128, random);
    SecretKey key = keyGen.generateKey();
    byte[] iv = new byte[12];
    random.nextBytes(iv);
    System.out.println(test);
    byte [] newTest = doEncrypt(test,iv,random,key);
    System.out.println(newTest);
    System.out.println(doDecrypt(newTest,iv,random,key));
}


public static byte [] doEncrypt(String password, byte [] iv, SecureRandom random, SecretKey key) throws NoSuchPaddingException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException, UnsupportedEncodingException {
    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "SunJCE");
    GCMParameterSpec spec = new GCMParameterSpec(128, iv);
    cipher.init(Cipher.ENCRYPT_MODE, key, spec);
    byte [] encryptPassword = password.getBytes("UTF-8");
    byte[] cipherText = cipher.doFinal(encryptPassword);
    return cipherText;
}

public static String doDecrypt(byte [] encrypted, byte [] iv, SecureRandom random, SecretKey key)throws NoSuchPaddingException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException, UnsupportedEncodingException {
    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "SunJCE");
    GCMParameterSpec spec = new GCMParameterSpec(128, iv);
    cipher.init(Cipher.DECRYPT_MODE, key, spec);
    byte[] plainText = cipher.doFinal(encrypted);
    return new String(plainText);
}


}
Perdue
  • 479
  • 9
  • 19