I am trying to implement cipher text decryption on cipher generated using key derivation on X25519 algorithm. While I am able to decrypt using private key generated in my system on Java, it fails on python. Java code is using generate secret with tlspremaster, something I am unable to find on python. Can someone suggest how to resolve it? I will be posting my code in a while here.
I am fairly new to cryptography and still learning.
Below is my code. pkey is my Private key generated locally on my Mac Host. After key exchange, I am deriving a symmetric key to decrypt an encrypted string received from Java. The keys are X25519 keys generated on my Mac host and Public key from other system is returned in DER encoded format. Decrypting the same payload using my Public key and remote private key in Java works well. However, same in reverse is not working. What am I doing wrong below?
from cryptography.hazmat.primitives import serialization
import base64
from cryptography.hazmat.primitives.ciphers import Cipher,algorithms,modes
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
pkey = serialization.load_der_private_key(
base64.b64decode("MC4CAQAwBQYDK2VuBCIEIKh1Dq7Fu82lqQdBQJTHTvBTxtD6hLconopqvVLVy81s"),
password=None
)
ukey=pkey.public_key()
encstr = base64.b64decode("tAIfdjkAClrwWFcKVYMiCYVhm7NFAotPyBgF2YJkM2ETWPEYcGG6g37MivEhS8b5".encode('utf-8'))
uenkey = ukey.public_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PublicFormat.SubjectPublicKeyInfo
)
penkey = pkey.private_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
)
ondcpub = (base64.b64decode("MCowBQYDK2VuAyEAa9Wbpvd9SsrpOZFcynyt/TO3x0Yrqyys4NUGIvyxX2Q="))
oenkey = serialization.load_der_public_key(ondcpub)
shared_key = pkey.exchange(oenkey)
shkey = base64.urlsafe_b64encode(shared_key).decode('utf-8')
print("Shared Secret: ", base64.b64encode(shared_key).decode('utf-8'))
hkdf = HKDF(
algorithm=hashes.BLAKE2b(64),
length=32,
salt=None,
info=None
)
key = hkdf.derive(shared_key)
print("Derived Secret: ", base64.b64encode(key).decode('utf-8'))
iv = encstr[0:16]
cipher = Cipher(algorithms.AES(key), modes.CBC(iv))
dec = cipher.decryptor()
text = dec.update(encstr) + dec.finalize()
However, while printing text, I am getting junk bytes returned and not what I encrypted.
Below is the Java code that is able to decrypt the string correctly with out problem:
import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
//
import org.springframework.stereotype.Component;
import lombok.Data;
@Component
@Data
public class SubscribeEncryptDecrypt {
String clientPrivateKey = "MFECAQEwBQYDK2VuBCIEIChY69PwPeovw1zAh7TRU+E40LIEykBsbIBp3CanVvRegSEASfWOME2kQQ75i5iMHx0ZodBn0P9UTHcOkeczDmeOVkU=";
String clientPublicKey = "MCowBQYDK2VuAyEASfWOME2kQQ75i5iMHx0ZodBn0P9UTHcOkeczDmeOVkU=";
String proteanPublicKey = "MCowBQYDK2VuAyEALtPj74XkIrkyxTqyssjtYJ3KRND5FnzK5MDrwlK3kC8=";
String proteanPrivateKey = "MFECAQEwBQYDK2VuBCIEIAj5U1DVAX5eGI1jIIcjmzWgPQlIg/T1Q6A3pZ0AIWp6gSEAJGnKRTAEcSvpgD0mw9gBHv94E3w8sTtmPlszuXIEAF0=";
public static String secretKey = "TlsPremasterSecret";
public static void setup() {
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
Security.addProvider(new BouncyCastleProvider());
}
}
public String decrypt(String clientPrivateKey, String proteanPublicKey, String value) {
try {
byte[] dataBytes = Base64.getDecoder().decode(proteanPublicKey);
PublicKey publicKey = getPublicKey("X25519", dataBytes);
dataBytes = Base64.getDecoder().decode(clientPrivateKey);
PrivateKey privateKey = getPrivateKey("X25519", dataBytes);
KeyAgreement atServer1 = KeyAgreement.getInstance("X25519", BouncyCastleProvider.PROVIDER_NAME);
atServer1.init(privateKey); // Server1 uses its private key to initialize the aggreement object
atServer1.doPhase(publicKey, true); // Uses Server2's ppublic Key
SecretKey key1 = atServer1.generateSecret(secretKey); // derive secret at server 1.
// "TlsPremasterSecret" is the algorithm for
Cipher cipher2 = Cipher.getInstance("AES", BouncyCastleProvider.PROVIDER_NAME);
cipher2.init(Cipher.DECRYPT_MODE, key1); // Same derived key in server 2same as key1
byte[] decrypted2 = cipher2.doFinal(Base64.getDecoder().decode(value)); // b64 decode the
// message before
return new String(decrypted2);
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return "";
}
public PublicKey getPublicKey(String algo, byte[] jceBytes) throws Exception {
X509EncodedKeySpec x509EncodedKeySpec = new X509EncodedKeySpec(jceBytes);
PublicKey key = KeyFactory.getInstance(algo, BouncyCastleProvider.PROVIDER_NAME)
.generatePublic(x509EncodedKeySpec);
return key;
}
public PrivateKey getPrivateKey(String algo, byte[] jceBytes) throws Exception {
PrivateKey key = KeyFactory.getInstance(algo, BouncyCastleProvider.PROVIDER_NAME)
.generatePrivate(new PKCS8EncodedKeySpec(jceBytes));
return key;
}
public String encrypt(String clientPublicKey, String proteanPrivateKey, String value) {
try {
byte[] dataBytes = Base64.getDecoder().decode(clientPublicKey);
PublicKey publicKey = getPublicKey("X25519", dataBytes);
dataBytes = Base64.getDecoder().decode(proteanPrivateKey);
PrivateKey privateKey = getPrivateKey("X25519", dataBytes);
KeyAgreement atServer1 = KeyAgreement.getInstance("X25519", BouncyCastleProvider.PROVIDER_NAME);
atServer1.init(privateKey); // Server1 uses its private key to initialize the aggreement object
atServer1.doPhase(publicKey, true); // Uses Server2's ppublic Key
SecretKey key1 = atServer1.generateSecret(secretKey); // //derive secret at server 1.
// "TlsPremasterSecret" is the algorithm for
// *Server1
Cipher cipher1 = Cipher.getInstance("AES", BouncyCastleProvider.PROVIDER_NAME);
cipher1.init(Cipher.ENCRYPT_MODE, key1);
byte[] encrypted1 = cipher1.doFinal(value.getBytes(StandardCharsets.UTF_8));
String b64Encryped1 = Base64.getEncoder().encodeToString(encrypted1);
return b64Encryped1;
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return "";
}
public static void main(String[] args) {
SubscribeEncryptDecrypt decr = new SubscribeEncryptDecrypt();
decr.setup();
String enc = decr.encrypt("MCowBQYDK2VuAyEAr+B5vDW7a3QFkCcYqf3RMMi5BxsnwU3fy63pxpCDnQM=",
"MFECAQEwBQYDK2VuBCIEIJDIsJi4nLGZ7BKaJkkIzJxubIndEOvT5hx0MKgoGYFvgSEA13ZQjiRLAA5YG6prELnmQwboQlpj0MzI94XF/kG4UmY=",
"Fossgen is awesome!");
System.out.println("ENC:");
System.out.println(enc);
System.out.println("DECR3:");
System.out.println(decr.decrypt("MFECAQEwBQYDK2VuBCIEIEhk0BhCxAEIHg8HehKzo9IHmCFRpcp9IlBGYsWTPdVzgSEAMmKN2FKRf+ojfYYQ80ZcgyJQvQlbxDA8BAsxNG4vuGI=",
"MCowBQYDK2VuAyEA13ZQjiRLAA5YG6prELnmQwboQlpj0MzI94XF/kG4UmY=",
enc));
}
}
Keys mentioned in the code are real.
I am fairly naive with Cryptography, so apologies in advance for some stupid questions I may be raising here. I create a Key pair with X25519 algorithm locally on my Mac Box. I am getting an encrypted string from a Java service using same algorithm. Code for both Java and Python are mentioned above. The private key of server and local public key in Java code is being used to generate key agreement and shared key. Post derivation of Key, decryption of key returns junk characters.
Below is output of python program:
Local Private Key: MC4CAQAwBQYDK2VuBCIEIKh1Dq7Fu82lqQdBQJTHTvBTxtD6hLconopqvVLVy81s
Local Public Key: MCowBQYDK2VuAyEAX81uAZNOjPutK/Mz4tq/j27+dyjh7zdjwBGR4/+ye2U=
ONDC Public Key: MCowBQYDK2VuAyEAa9Wbpvd9SsrpOZFcynyt/TO3x0Yrqyys4NUGIvyxX2Q=
Shared Secret: n9GvHoVbxb3huDjRGp9h7UUEwmEtBFf5SYjHJPmAfX4=
Derived Secret: HXk952GQGDVmhRykvG8Q/5PdpsBPgL7T5padSbDLf8k=
Decrypted String: b'\xc2]\xb5\x9d2%\xcfz\xb2,\xae,\xf2\x93pW\x16\x885L\xf7\x1c\xe0AnY\xf1*\x91\x08X\t\x9fB\xcd6f\xf8_\xfc\xacU\xbf\xf1mx\xed\x83'
I was finally able to crack the problem, thanks to @Topaco. Problem was, while encrypting, the code was using defaults encryption parameters for Java, which is AES/ECB/PKCS#5 padding. With simple addition of decryption mode aligned with Java default, I was able to decrypt the payload. Below are the code snippets.
Thanks a lot members for your help, much appreciated. The decrypted key the code should return is BCA53D77-A9F5-4C6B-829E-B5A93CC9BF43.