Decrypting SJCL encrypted strings in Android

Question

I've got a string that's been encrypted by SJCL server-side, and needs to be decrypted in Android using whatever libraries are available. I tried BouncyCastle, until I ran into the problem of not being able to generate a key from PBKDF2. Now I'm using SpongyCastle, and I'm still running into issues. Here's my code so far for generating a key and decrypting the string:

private static byte[] decrypt(SecretKey key, byte[] encrypted, byte[] iv) throws Exception {
    IvParameterSpec ivSpec = new IvParameterSpec(iv);
    Cipher cipher = Cipher.getInstance("AES/CCM/NoPadding");
    cipher.init(Cipher.DECRYPT_MODE, key, ivSpec);
    byte[] decrypted = cipher.doFinal(encrypted);
    return decrypted;
}

public static SecretKey generateKey(char[] passphraseOrPin, byte[] salt) throws NoSuchAlgorithmException, InvalidKeySpecException {
    // Number of PBKDF2 hardening rounds to use. Larger values increase
    // computation time. You should select a value that causes computation
    // to take >100ms.
    final int iterations = 1000;

    // Generate a 128-bit key
    final int outputKeyLength = 128;

    /*SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
    KeySpec keySpec = new PBEKeySpec(passphraseOrPin, salt, iterations, outputKeyLength);
    SecretKey secretKey = secretKeyFactory.generateSecret(keySpec);*/

    PKCS5S2ParametersGenerator generator = new PKCS5S2ParametersGenerator(new SHA256Digest());
    generator.init(PBEParametersGenerator.PKCS5PasswordToBytes(passphraseOrPin), salt, iterations);
    KeyParameter key = (KeyParameter) generator.generateDerivedMacParameters(outputKeyLength);
    SecretKey secretKey = new SecretKeySpec(key.getKey(), "AES");
    return secretKey;
}

Here's how I call it in my function:

char[] key = * put PBKDF2 password here *;

// Generate key from password
    SecretKey decryptionKey = null;
    try {
        decryptionKey = generateKey(key, decodedObject.get("salt").getAsString().getBytes());
    } catch (Exception e) {
        Log.e(TAG, e.getMessage());
    }

    byte[] decryptedTicketBytes = null;

    // Decrypt the ticket
    try {
        decryptedTicketBytes = decrypt(decryptionKey, decodedObject.get("ct").getAsString().getBytes(), decodedObject.get("iv").getAsString().getBytes());
    } catch (Exception e) {
        Log.e(TAG, e.getMessage());
    }

The decodedObject is the string from SJCL after being run through a JsonParser with UTF-8 and being Base64 decoded. I took it and ran it through the SJCL Demo with the password and decrypted the string no problem. I must be missing something simple here.

There error I'm getting is on the cipher.doFinal step, and is as follows:

java.security.InvalidKeyException: nonce must have length from 7 to 13 octets

I don't think SJCL uses no padding on their cipher, so I tried using "AES/CCM/PKCS5Padding" on the getInstance but then got this error:

javax.crypto.NoSuchPaddingException: Only NoPadding can be used with AEAD modes.

TLDR: I'm looking for the easiest way to decrypt SJCL strings in Android. Suggestions would be appreciated.

Thanks!

Answer 1

While using a WebView could help, I prefer to use a ScriptEngine (SE) along with its ScriptEngineManager (SEM) , which will also load a WebView in the end but at least the code looks much easier to understand and maintain.

First thing to do, since SE and SEM aren't natively available on Android, you can import 'rhino-library' that solves this issue. I've found out about this here, for reference.

So first step, add the dependence in your build.gradle file :

    implementation 'io.apisense:rhino-android:1.0'

Once done, the rest is pretty straightforward, here the commented code on how I did it. :

package com.example;

import android.content.Context;

import java.io.InputStream;

import javax.script.Invocable;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import javax.script.ScriptException;

import com.example.Constants;

public class SJCL {

    private Invocable invocable;

    public SJCL() {

    }

    public void init(Context c) {
        ScriptEngineManager manager = new ScriptEngineManager();
        ScriptEngine engine = manager.getEngineByName("JavaScript");
        try {
            //in this case the constant points to assets/SJCL.js
            InputStream is = c.getAssets().open(Constants.SJCL_FILE_PATH);
            //put that into a string (function further) 
            String sjcl = convertStreamToString(is);

            // read script file
            engine.evals(sjcl);

            invocable = (Invocable) engine;

        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    //call js function from wrapper function, this is just one as example
    public String encrypt(Object password, String plainText, String[] params) {
    try {
        //first argument is the function name, second is a Object... with your arguments
        return invocable.invokeFunction("encrypt",password,plainText,params).toString();
    } catch (ScriptException | NoSuchMethodException e) {
        return null;
    }
}

    public String convertStreamToString(InputStream is) throws Exception {
        BufferedReader reader = new BufferedReader(new InputStreamReader(is));
        StringBuilder sb = new StringBuilder();
        String line = null;
        while ((line = reader.readLine()) != null) {
            sb.append(line).append("\n");
        }
        reader.close();`enter code here
        return sb.toString();
    }
}

I've also posted that as a gist on github, you can have a look here

Hope that helps

Answer 2

The problem is that Java does not work with the default sclj iv number, that uses 4 words. The solution is to tell sclj to generate the iv value with 3 words:

aesEncrypt:function (pass,data) {
var param = { // Java does not accepts the default 4 word size
        iv: sjcl.random.randomWords(3, 0)
};
return sjcl.encrypt(pass,data,param);
}

don´t forget to pass the iv and salt values along with the encrypted message. If you can´t tell sclj to generate a smaller iv number, you will have to change the java implementation, or try to find one that supports iv with 16 bytes.

Answer 3

While this isn't done in Java, it is in fact done in Android. I know it's not the solution I wanted but it works and is a solution.

You can use a WebView to run the SJCL in Android to decrypt the file. You need an interface that the WebView JavaScript can talk to.

public static class JavaScriptInterface {
    Context mContext;

    /** Instantiate the interface and set the context */
    JavaScriptInterface(Context c) {
        mContext = c;
    }

    //This is the function that is callable from the Javascript.
    @JavascriptInterface
    public void doJavaStuff(String dycryptedData)
    {
        //Do what you want with the decrypted data
    }
}

From there you will need to create a method to get a script with the SJCL

public static String getSJCL() { return "<script>\n" + "SJCL_HERE" + "<script>\n";

Then create the HTML to run the code. This all could be done with .html files and .script files, but I wanted my key and encrypted files to be dynamic.

 public static String getHtmlForDecrypting(String encryptedData, String key) {
    return "<html>\n" +
            "    <head>\n" +
                    getSJCL() +
            "        <script type=\"text/javascript\">\n" +
            "            function displaymessage()\n" +
            "            {\n" +
            "                var obj = " + encryptedData + ";\n" +
            "                var objString = JSON.stringify(obj);\n" +
            "                var data = sjcl.decrypt(\"" + key + "\", objString);\n" +
            "                JSInterface.doJavaStuff(data);\n" +
            "            }\n" +
            "        </script>\n" +
            "    </head>\n" +
            "    <body onload=\"displaymessage()\"></body>\n" +
            "</html>\n";
}

Next create the decrypt method.

private static WebView wv;

private static JavaScriptInterface JSInterface;

private static String key1 = "YOURKEY";

public static void decrypt(Context context, String data) {
    JSInterface = new JavaScriptInterface(context);
    wv = new WebView(context);
    wv.addJavascriptInterface(JSInterface, "JSInterface");
    wv.getSettings().setJavaScriptEnabled(true);

    wv.loadData(getHtmlForDecrypting(data, key1), "text/html", null);
}