javax.crypto.AEADBadTagException

There are no available Samebug tips for this exception. Do you have an idea how to solve this issue? A short tip would help users who saw this issue last week.

  • Java TLS 1.2 server : AES-GCM decryption
    via Stack Overflow by Alpha4
    ,
  • Gradle wrapper Tag Mismatch error
    via Stack Overflow by Ganitzsh
    ,
  • FULL PRODUCT VERSION : java version "1.8.0_25" Java(TM) SE Runtime Environment (build 1.8.0_25-b17) Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode) ADDITIONAL OS VERSION INFORMATION : Mac OS X 10.10 (14A389) A DESCRIPTION OF THE PROBLEM : JDK 8 documentation explains that we should call Cipher.updateAAD for AES-GCM: http://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html Doing this seems to guarantee AEADBadTagException-s in decryption, while never calling updateAAD works fine and validates the tag as expected. It seems like updateAAD causes some internal state corruption or something similar. STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : - Set AEAD tag (AAD) through updateAAD when decrypting AES-GCM, as documented. OR - Call updateAAD when encrypting (as test cases and other sites suggest) EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - Decryption will succeed, unless tag is actually invalid. ACTUAL - AEADBadTagException will always be thrown when calling doFinal. REPRODUCIBILITY : This bug can be reproduced always. ---------- BEGIN SOURCE ---------- https://gist.github.com/praseodym/f2499b3e14d872fe5b4a import javax.crypto.Cipher; import javax.crypto.KeyGenerator; import javax.crypto.SecretKey; import javax.crypto.spec.GCMParameterSpec; import java.nio.ByteBuffer; import java.security.SecureRandom; /** * JDK 8 documentation explains that we should call Cipher.updateAAD: * http://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html * * However, doing this seems to guarantee AEADBadTagException-s, * while not doing this works fine and validates the tag as expected. */ public class AESGCMUpdateAAD { // AES-GCM parameters public static final int AES_KEY_SIZE = 128; // in bits public static final int GCM_NONCE_LENGTH = 12; // in bytes public static final int GCM_TAG_LENGTH = 16; // in bytes public static void main(String[] args) throws Exception { byte[] input = "Hello AES-GCM World!".getBytes(); // Initialise random and generate key SecureRandom random = SecureRandom.getInstanceStrong(); KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(AES_KEY_SIZE, random); SecretKey key = keyGen.generateKey(); // Encrypt Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); final byte[] nonce = new byte[GCM_NONCE_LENGTH]; random.nextBytes(nonce); GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, nonce); cipher.init(Cipher.ENCRYPT_MODE, key, spec); final byte[] tag = new byte[GCM_TAG_LENGTH]; random.nextBytes(tag); // UNEXPECTED: Uncommenting this will cause an AEADBadTagException when decrypting // cipher.updateAAD(tag); byte[] cipherText = cipher.doFinal(input); // Decrypt; nonce is shared implicitly cipher.init(Cipher.DECRYPT_MODE, key, spec); ByteBuffer cipherBuffer = ByteBuffer.wrap(cipherText); cipherBuffer.position(cipherText.length - GCM_TAG_LENGTH); // Tag placed at end // UNEXPECTED: Uncommenting this will cause an AEADBadTagException when decrypting // cipher.updateAAD(cipherBuffer); cipherBuffer.rewind(); // EXPECTED: Uncommenting this will cause an AEADBadTagException when decrypting // cipherText[10] = 54; // Mangle cipher text byte[] plainText = cipher.doFinal(cipherText); // Output result (should equal input) System.out.println(new String(plainText)); } } ---------- END SOURCE ---------- CUSTOMER SUBMITTED WORKAROUND : Never call updateAAD.
    via by Webbug Group,
  • Maven Goal(s) Failing to Execute
    via Stack Overflow by mongolol
    ,
  • Crypt.java · GitHub
    via by Unknown author,
    • javax.crypto.AEADBadTagException: Tag mismatch! at com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:524) at com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1023) at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:960) at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:824) at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:436) at javax.crypto.Cipher.doFinal(Cipher.java:2223) at com.seemy.codec.tls.TlsCodec.decodeCiphered(TlsCodec.java:525)

    Users with the same issue

    Unknown visitor
    Unknown visitor1 times, last one,
    Unknown visitor
    Unknown visitor2 times, last one,