All geek questions in one place

BadPaddingException Error: Tag Mismatch: 0

So, I have an android connection with a PC (android = client, PC = server) and when the client tries to connect to the server, it rushes to the server:

javax.crypto.BadPaddingException: Blocktype mismatch: 0 at sun.security.rsa.RSAPadding.unpadV15(Unknown Source) at sun.security.rsa.RSAPadding.unpad(Unknown Source) at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:356) at com.sun.crypto.provider.RSACipher.engineDoFinal(RSACipher.java:382) at javax.crypto.Cipher.doFinal(Cipher.java:2087)

but the same code for the PC client successfully connects to the PC server (PC-PC, Android-PC does not work)

Is there any difference in Android cryptography that can cause this? I am not sending any code because the code is huge and the 1: 1 copy on the PC client works flawlessly.

Server-side method for decrypting a packet:

 public static Packet decompile(PacketWrapper wrapper, PrivateKey privateKey) throws Exception { for (Provider provider : Security.getProviders()) { System.out.println(provider.getName()); System.out.println(provider.getInfo()); System.out.println(System.lineSeparator()); } Cipher cipher = Cipher.getInstance("RSA"); cipher.init(Cipher.DECRYPT_MODE, privateKey); byte[] data = cipher.doFinal(wrapper.data); return (Packet) bytesToObj(data); }

Client method when sending a package:

 try { KeyGenerator kg = KeyGenerator.getInstance("AES"); kg.init(AESsize, new SecureRandom()); aesKey = (SecretKeySpec) kg.generateKey(); new SecureRandom().nextBytes(ivKey); out.writeObject(Packet.compile(new ClientKeyPacket(aesKey, ivKey), publicKey)); } catch (Exception e) { e.printStackTrace(); print("Could not connect to the server"); closeStreams(""); return; }

where is Packet.compile() :

 public static PacketWrapper compile(Packet packet, PublicKey publicKey) throws Exception { byte[] bytes = objToBytes(packet); System.out.println("Size > " + bytes.length); Cipher cipher = Cipher.getInstance("RSA"); cipher.init(Cipher.ENCRYPT_MODE, publicKey); byte[] data = cipher.doFinal(bytes); return new PacketWrapper(data); }

and static Crypt strings:

 public class Crypt { public static String saltMethod = "PBKDF2WithHmacSHA1"; public static String encryptMethod = "AES/CBC/NoPadding"; public static String shortEncrypt = "AES"; public static String encoding = "UTF-8"; public static int saltIterations = 5000; public static int saltLength = 8; }
+4
source share
2 answers

Many things can cause a BadPaddingException . To diagnose them, temporarily set the decryption method to NoPadding . This will allow him to complete to the end and give you some results to study. Look at the last block of the decrypted message.

If you see the tail of your message plus some nice addition, then set the decryption method to expect indentation.

If you see full trash, you have an earlier non-filling problem. Make sure that all bytes by byte are identical on both sides: key, IV, message. As @GregS noted, the default encodings here are a common intruder. In general, defaults are a bad thing. Different systems have different default values, so always explicitly indicate what you are using: character encoding, Cypher mode, padding, KDF, etc. Does not work on different systems, often a symptom of inappropriate system defaults.

Finally, when you have diagnosed the problem, install an addition to something other than NoPadding .

+1
source

By default, Android uses the highly edited Bouncy Castle provider as an implementation for many cryptographic algorithms. This probably also applies to RSA for your version of Android. Now, Bouncy Castle FAQ # 4 says:

If you create a cipher using:

 Cipher rsaCipher = Cipher.getInstance("RSA", "BC");

In fact, the provider must decide what type of fill you receive. In the case of the BC provider, this is not at all equivalent:

 Cipher rsaCipher = Cipher.getInstance("RSA/NONE/NoPadding", "BC");

This is an unsafe version of RSA without padding.

Replace both RSA strings with "RSA/NONE/PKCS1Padding" and you should no longer get the exception. Do not use the provider indicator "BC" , let the JCA find the implementation of the algorithm for you.

Try not to rely on the default values ​​in cryptography.

0
source

Source: https://habr.com/ru/post/1496431/

More articles:


All Articles