AES/GCM/NoPadding AEADBadTagException

Question

I am trying to use AES/GCM/NoPadding for encryption in Java8. But I can't figure out why I am having a AEADBadTagException when decrypting.

Here's my code:

private final int GCM_IV_LENGTH = 12;
private final int GCM_TAG_LENGTH = 16;

private static String encrypt(String privateString, SecretKey skey) {
    byte[] iv = new byte[GCM_IV_LENGTH];
    (new SecureRandom()).nextBytes(iv);

    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
    GCMParameterSpec ivSpec = new GCMParameterSpec(GCM_TAG_LENGTH * Byte.SIZE, iv);
    cipher.init(Cipher.ENCRYPT_MODE, skey, ivSpec);

    byte[] ciphertext = cipher.doFinal(privateString.getBytes("UTF8"));
    byte[] encrypted = new byte[iv.length + ciphertext.length];
    System.arraycopy(iv, 0, encrypted, 0, iv.length);
    System.arraycopy(ciphertext, 0, encrypted, iv.length, ciphertext.length);

    Base64Encoder encoder = new Base64Encoder();
    String encoded = encoder.encode(encrypted);

    return encoded;
}

private static String decrypt(String encrypted, SecretKey skey) {
    Base64Decoder decoder = new Base64Decoder();
    String decoded = encoder.encode(encrypted);

    byte[] iv = Arrays.copyOfRange(decoded, 0, GCM_IV_LENGTH);

    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
    GCMParameterSpec ivSpec = new GCMParameterSpec(GCM_TAG_LENGTH * Byte.SIZE, iv);
    cipher.init(Cipher.DECRYPT_MODE, skey, ivSpec);

    byte[] ciphertext = cipher.doFinal(decoded, GCM_IV_LENGTH, decoded.length - GCM_IV_LENGTH);

    String newString = new String(ciphertext, "UTF8");

    return newString;
}

Hope someone can help me fix this exception. Thanks!

is this java? Your methods claim to return String but actually try to return `byte[]`. Please post code the compiles. [How to create a MCVE](https://stackoverflow.com/help/mcve) — President James K. Polk, Sep 11 '17 at 10:49
Ah my bad. I edited it and added the missing codes. And yes this is java. — Cille, Sep 11 '17 at 11:02
Your code doesn't compile. Try it yourself. `byte[] iv = new Byte[GCM_IV_LENGTH];` is not correct. — President James K. Polk, Sep 11 '17 at 11:10
There you go. So sorry for the typo errors, I can't copy the codes coz it's in the other pc so I just rewrote it. Please bear with me. — Cille, Sep 11 '17 at 11:12
Ah, ok, that sounds painful. Well, after I fix the remaining typos etc it runs fine without exceptions for me. — President James K. Polk, Sep 11 '17 at 11:15
Really? Do you have any idea why it won't work for me? i get this AEADBadTagException when it hits the decrypt mode cipher.doFinal. — Cille, Sep 11 '17 at 11:30
I'll post my code and you can see where, or if, it differs from yours — President James K. Polk, Sep 11 '17 at 11:58
Your code doesn't compile: **cannot resolve method copyOfRange(String, int, int)** — IgorGanapolsky, May 27 '18 at 17:04

score 11 · Accepted Answer · answered Sep 11 '17 at 12:00

I've corrected a few typos, and used Java 8's base64 utilities, and it seems to work fine for me. Here is my version and you can compare it to yours.

import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;

public class Main {
    private final static int GCM_IV_LENGTH = 12;
    private final static int GCM_TAG_LENGTH = 16;

    private static String encrypt(String privateString, SecretKey skey) throws Exception {
        byte[] iv = new byte[GCM_IV_LENGTH];
        (new SecureRandom()).nextBytes(iv);

        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        GCMParameterSpec ivSpec = new GCMParameterSpec(GCM_TAG_LENGTH * Byte.SIZE, iv);
        cipher.init(Cipher.ENCRYPT_MODE, skey, ivSpec);

        byte[] ciphertext = cipher.doFinal(privateString.getBytes("UTF8"));
        byte[] encrypted = new byte[iv.length + ciphertext.length];
        System.arraycopy(iv, 0, encrypted, 0, iv.length);
        System.arraycopy(ciphertext, 0, encrypted, iv.length, ciphertext.length);

        String encoded = Base64.getEncoder().encodeToString(encrypted);

        return encoded;
    }

    private static String decrypt(String encrypted, SecretKey skey) throws Exception {
        byte[] decoded = Base64.getDecoder().decode(encrypted);

        byte[] iv = Arrays.copyOfRange(decoded, 0, GCM_IV_LENGTH);

        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        GCMParameterSpec ivSpec = new GCMParameterSpec(GCM_TAG_LENGTH * Byte.SIZE, iv);
        cipher.init(Cipher.DECRYPT_MODE, skey, ivSpec);

        byte[] ciphertext = cipher.doFinal(decoded, GCM_IV_LENGTH, decoded.length - GCM_IV_LENGTH);

        String result = new String(ciphertext, "UTF8");

        return result;
    }

    public static void main(String[] args) throws Exception {
        SecretKey key = new SecretKeySpec(new byte[16], "AES"); // key is 16 zero bytes
        String s = decrypt(encrypt("This is the first string to test", key), key);
        System.out.println(s);
    }
}

Oh I figured it out now. I tried using java.util.Base64 and found out that I missed to configure my eclipse to java 8. I really believed it's already running in java 8. How stupid lol. Thank you very much! — Cille, Sep 11 '17 at 12:47
**getDecoder** only works on Android API 26. What do we do with older platforms? — IgorGanapolsky, May 27 '18 at 16:34
@IgorGanapolsky: Use [`android.util.Base64`](https://developer.android.com/reference/java/util/Base64). — President James K. Polk, May 27 '18 at 16:49
If you provide `GCMParameterSpec` while you encrypt here `cipher.init(Cipher.ENCRYPT_MODE, skey, ivSpec);` you get `Caller-provided IV not permitted` as a reason in the exception. — Prudhvi, Jan 31 '20 at 20:56

AES/GCM/NoPadding AEADBadTagException

1 Answers1