Java decryption and encryption compatible with SJCL?

Question

I need to encrypt & decrypt data with both Java (on Android) and SJCL (I could plausibly switch to another JS crypto library, but am familiar with SJCL so would prefer to stick with it if possible).

I have the SJCL end working fine, but at the Java end I'm not really sure what parameters I need to use to set up the key generator and cipher. The code I have so far for decryption is:

SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
KeySpec spec = new PBEKeySpec(password.toCharArray(), salt, 1024, 256);
SecretKey tmp = factory.generateSecret(spec);
SecretKey secret = new SecretKeySpec(tmp.getEncoded(), "AES");

Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, secret, new IvParameterSpec(iv));
String plaintext = new String(cipher.doFinal(ciphertext), "UTF-8");
return plaintext;

Where salt, iv and ciphertext are extracted as strings from the JSON object produced by SJCL and then decoded using a Base64 decoder to byte arrays.

Unfortunately, I have a few problems with this and the code above doesn't work.

The first problem I have is that PBKDF2WithHmacSHA256 doesn't seem to be a recognised key generation algorithm. I'm not entirely sure that this is what I want, but it appears to be right based on reading the SJCL documentation? Java does recognise PBKDF2WithHmacSHA1, but this doesn't seem to be the same algorithm SJCL implements.

Secondly, if I try using the SHA1 key algorithm, I get an error about invalid key size. Do I need to install something to enable AES with 256-bit keys? Telling the key factory to produce a 128-bit key works OK (although obviously is not compatible with SJCL, which is using a 256-bit key).

Thirdly, what cipher mode should I be using? I'm pretty sure CBC isn't right... SJCL's documentation mentions both CCM and OCB, but Java doesn't seem to support either of these out of the box -- again, do I need to install something to make this work? And which one does SJCL default to?

And finally, even if I pick parameters that make Java not complain about missing algorithms, it complains that the IV provided by decoding the SJCL output is the wrong length, which it certainly appears to be: there are 17 bytes in the resulting output, not 16 as is apparently required by AES. Do I just ignore the last byte?

Answer 1

I haven't tried it (in the end I switched away from using Javascript crypto in favour of using an embedded java applet with bouncycastle to handle communication), but GnuCrypto (a bouncycastle fork) supports PBKDFWithHmacSHA256. The fixed character encoding handling in SJCL presumably fixes the unexpected length of the IV (?), so this would just leave the cipher mode. From this point, it appears that the easiest approach would be to implement a relatively simple cipher mode (e.g. CTR) as an add-on for SJCL, which ought to be only a few hours work even for someone unfamiliar with the code, after which it is simply a matter of encoding and decoding the JSON-encoded data packets that are used by SJCL (which ought to be trivial).

As an alternative, it would certainly be possible to implement OCB mode for Java, despite the fact that the algorithm is proprietary, as there is a public patent grant for software distributed under the GPL (http://www.cs.ucdavis.edu/~rogaway/ocb/grant.htm).

Interestingly, I wonder whether GnuCrypto would accept a patch for OCB mode support? GnuCrypto is distributed under GPL-with-libraries-exemption, which would appear to qualify as "any version of the GNU General Public License as published by the Free Software Foundation", so theoretically at least this should be possible.

Answer 2

SJCL AES in java

import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.json.JSONObject;

import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import java.security.SecureRandom;
import java.security.spec.KeySpec;
import java.util.Arrays;
import java.util.Base64;
import java.util.Base64.*;
import java.util.HashMap;
import java.util.Map;

import static java.nio.charset.StandardCharsets.UTF_8;

/**
 *
 * SJCL 1.0.8
 *
 * dependencies:
 * compile group: 'org.bouncycastle', name: 'bcprov-jdk15on', version: '1.64'
 * compile group: 'org.json', name: 'json', version: '20190722'
 *
 * ref: https://blog.degering.name/posts/java-sjcl
 */
public class AesSJCL {
    // Simply prints out the decoded string.
    public static void main(String[] args) throws Exception {
        String password = "password";
        String plainText = "Who am I?";

        // encryption
        Map<String, Object> result = new AesSJCL().encrypt( password, plainText);
        String json =  new JSONObject(result).toString();
        System.out.printf("encrypted output:\n%s\n", json);

        System.out.printf("\njavascript testing code:\nsjcl.decrypt(\"%s\", '%s')\n", password, json);

        // decryption
        String decryptedText = new AesSJCL().decrypt(password, json);
        System.out.printf("\ndecrypted output: \n%s\n", decryptedText);
    }

    /**
     *
     * @param password  - password
     * @param encryptedText - {"cipher":"aes","mode":"ccm","ct":"r7U/Gp2r8LVNQR7kl5qLNd8=","salt":"VwSOS3jCn6M=","v":1,"ks":128,"iter":10000,"iv":"5OEwQPtHK2ej1mHwvOf57A==","adata":"","ts":64}
     * @return
     * @throws Exception
     */
    public String decrypt(String password, String encryptedText) throws Exception {
        Decoder d = Base64.getDecoder();

        // Decode the encoded JSON and create a JSON Object from it
        JSONObject j = new JSONObject(new String(encryptedText));

        // We need the salt, the IV and the cipher text;
        // all of them need to be Base64 decoded
        byte[] salt=d.decode(j.getString("salt"));
        byte[] iv=d.decode(j.getString("iv"));
        byte[] cipherText=d.decode(j.getString("ct"));

        // Also, we need the keySize and the iteration count
        int keySize = j.getInt("ks"), iterations = j.getInt("iter");

        // https://github.com/bitwiseshiftleft/sjcl/blob/master/core/ccm.js#L60
        int lol = 2;
        if (cipherText.length >= 1<<16) lol++;
        if (cipherText.length >= 1<<24) lol++;

        // Cut the IV to the appropriate length, which is 15 - L
        iv = Arrays.copyOf(iv, 15-lol);

        // Crypto stuff.
        // First, we need the secret AES key,
        // which is generated from password and salt
        SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
        KeySpec spec = new PBEKeySpec(password.toCharArray(),
                salt, iterations, keySize);
        SecretKey tmp = factory.generateSecret(spec);
        SecretKey secret = new SecretKeySpec(tmp.getEncoded(), "AES");

        // Now it's time to decrypt.
        Cipher cipher = Cipher.getInstance("AES/CCM/NoPadding",
                new BouncyCastleProvider());
        cipher.init(Cipher.DECRYPT_MODE, secret, new IvParameterSpec(iv));

        // Return the final result after converting it to a string.
        return new String(cipher.doFinal(cipherText));
    }


    /**
     *
     * @param password
     * @param plainText
     * @return
     * @throws Exception
     */
    public Map<String, Object> encrypt(String password, String plainText) throws Exception {
        int iterations = 10000;  // default in SJCL
        int keySize = 128;

        // https://github.com/bitwiseshiftleft/sjcl/blob/master/core/convenience.js#L321
        // default salt bytes are 8 bytes
        SecureRandom sr = SecureRandom.getInstanceStrong();
        byte[] salt = new byte[8];
        sr.nextBytes(salt);

        SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
        KeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterations, keySize);
        SecretKey tmp = factory.generateSecret(spec);
        SecretKey secret = new SecretKeySpec(tmp.getEncoded(), "AES");

        // https://github.com/bitwiseshiftleft/sjcl/blob/master/core/random.js#L87
        // default iv bytes are 16 bytes
        SecureRandom randomSecureRandom = SecureRandom.getInstanceStrong();
        byte[] iv = new byte[16];
        randomSecureRandom.nextBytes(iv);

        int ivl = iv.length;
        if (ivl < 7) {
            throw new RuntimeException("ccm: iv must be at least 7 bytes");
        }

        // compute the length of the length
        int ol=plainText.length();
        int L=2;
        for (; L<4 && ( ol >>> 8*L ) > 0; L++) {}
        if (L < 15 - ivl) { L = 15-ivl; }

        byte[] shortIV = Arrays.copyOf(iv, 15-L);

        // Now it's time to decrypt.
        Cipher cipher = Cipher.getInstance("AES/CCM/NoPadding", new BouncyCastleProvider());
        cipher.init(Cipher.ENCRYPT_MODE, secret, new IvParameterSpec(shortIV));

        byte[] encryptedBytes = cipher.doFinal(plainText.getBytes(UTF_8));

        Encoder encoder = Base64.getEncoder();

        Map<String, Object> map = new HashMap<>();
        map.put("iv", encoder.encodeToString(iv));
        map.put("iter", iterations);
        map.put("ks", keySize);
        map.put("salt", encoder.encodeToString(salt));
        map.put("ct", encoder.encodeToString(encryptedBytes));
        map.put("cipher", "aes");
        map.put("mode", "ccm");
        map.put("adata", "");
        map.put("v", 1);   // I don't know what it is.
        map.put("ts", 64);  // I don't know what it is.

        return map;
    }
}

github gist by me

ref: Java talks SJCL

Answer 3

You may have to use BouncyCastle to get all the cryptographic features used in SJCL. Make sure you're base64 decoding everything correctly and that SJCL doesn't add in length indicators or similar.