Cannot open "SecretBox" generated by TweetNacl (Java) with "Libsodium-net" (C#)

Question

I'm having problems opening a Nacl SecretBox (generated in java using the TweetNaclFast library) in C# using the libsodium-net library. I also can't do it the other way around (open a libsodium-net generated box using TweetNaclFast).

In the following example i'll create a SecretBox using TweetNaclFast (Java) and try to open it with libsodium-net (C#)

Creating the SecretBox (Java)

    String secretMessage = "Hello Stack overflow!";
    byte[] messageBytes = secretMessage.getBytes("UTF-8");
    byte[] keyBytes = secureRandomGenerator(); //returns 32 random bytes (256 bits)
    byte[] nonceBytes = TweetNaclFast.makeSecretBoxNonce();

    byte[] boxBytes = new TweetNaclFast.SecretBox(keyBytes).box(messageBytes,nonceBytes);

    System.out.println("Base64 box -> "+Base64.encodeBase64String(boxBytes));
    System.out.println("Base64 key -> "+Base64.encodeBase64String(keyBytes));
    System.out.println("Base64 nonce -> "+Base64.encodeBase64String(nonceBytes));

Creation Output

Base64 box -> iNEpgwFIo6nyaLNgMpSWqwTQ9Z5y/y+BUXszXVFZ2gP2A3XJ0Q==
Base64 key -> FKpCo/AhRRUjdQIpzMbZSnnzfBx1e/Ni9VZyNWYEB8E=
Base64 nonce -> 2qngWbMLFVNiPTFqTVO9nsraB8ACIrwV

Opening the SecretBox (C#)

string box = "iNEpgwFIo6nyaLNgMpSWqwTQ9Z5y/y+BUXszXVFZ2gP2A3XJ0Q==";
string key = "FKpCo/AhRRUjdQIpzMbZSnnzfBx1e/Ni9VZyNWYEB8E=";
string nonce = "2qngWbMLFVNiPTFqTVO9nsraB8ACIrwV";


        try
        {
            byte[] message = Sodium.SecretBox.Open(
            Convert.FromBase64String(box),
            Convert.FromBase64String(nonce),
            Convert.FromBase64String(key));

            Console.WriteLine(Encoding.UTF8.GetString(message));
        }
        catch (CryptographicException e)
        {
            Console.WriteLine(e.Message);
            Console.WriteLine(e.StackTrace);
        }

Open Output

Failed to open SecretBox
   at Sodium.SecretBox.Open(Byte[] cipherText, Byte[] nonce, Byte[] key)

Any idea about what i might be doing wrong?

EDIT

I guess the problem is with one of the libraries (libsodium-net most likely). If i create a SecretBox with the same variables i get a different box...

Creating a Secret Box with TweetNaclFast

String message = "Hello Stack overflow!";
String key = "uCEgauAQDWGDkcclGe1rNV6V77xtizuemhgxzM5nqO4=";
String nonce = "+RTDstWX1Wps5/btQzSMHWBqHU9s6iqq";

SecretBox box = new SecretBox(Base64.decodeBase64(key));
byte[] cipherText = box.box(message.getBytes("UTF-8"), Base64.decodeBase64(nonce));

RETURNS: yDCt/kOLFUWPZpV3deVNUZaH0ZHLVmj9Nvm8QlbVKPe1a/INDw==

Creating a Secret Box with libsodium-net

string message = "Hello Stack overflow!";
string key = "uCEgauAQDWGDkcclGe1rNV6V77xtizuemhgxzM5nqO4=";
string nonce = "+RTDstWX1Wps5/btQzSMHWBqHU9s6iqq";

byte[] box = Sodium.SecretBox.Create(Encoding.UTF8.GetBytes(message), 
                                             Convert.FromBase64String(nonce), 
                                             Convert.FromBase64String(key));

Console.WriteLine(Convert.ToBase64String(box));

RETURNS: AAAAAAAAAAAAAAAAAAAAAMgwrf5DixVFj2aVd3XlTVGWh9GRy1Zo/Tb5vEJW1Sj3tWvyDQ8=

Frank Denis · Accepted Answer · 2016-04-16T23:59:51.137

3

Sodium.SecretBox.Create uses the original NaCl crypto_box() API, which requires extra padding before the message and the ciphertext.

This API is a bit confusing and is rarely useful except in C. Even in C, people using it end up writing wrappers to prepend or get rid of the padding.

The box and secretbox constructions, as exposed by most APIs, do not require extra padding. The ciphertext is directly returned without 16 extra bytes before. The message can be directly given without prepending 16 nul bytes.

TweetNaclFast does not require any padding, but libsodium-net apparently does.

The extra 16 bytes before the ciphertext you are observing with libsodium-net do not contain any useful information. It's just a bunch of zeros. You can safely strip them, and add them later when calling Sodium.SecretBox.Open.

Note that unlike Sodium.SecretBox, Sodium.PublicKeyBox doesn't require padding.

edited Apr 16 '16 at 23:59

answered Apr 16 '16 at 23:51

Frank Denis

1,475
9
12

That's exactly what i've found. Thanks for the explanation :) – loveMeansNothing Apr 17 '16 at 00:05
1

This is actually [an inconsistency in libsodium-net](https://github.com/adamcaudill/libsodium-net/issues/133). Compatible functions [have been added](https://github.com/bitbeans/libsodium-net/commit/0d718a4c4d2d1f148a081864496fff7620245956). – Frank Denis Apr 17 '16 at 07:04
You rock @Frank Denis – loveMeansNothing Apr 17 '16 at 11:44

loveMeansNothing · Answer 2 · 2016-04-17T14:20:09.637

I should have read the documentation (RTFM)... Apparently libsodium-net adds a 16byte authentication tag on the start of the ciphertext (https://bitbeans.gitbooks.io/libsodium-net/content/secret-key_cryptography/authenticated_encryption.html). If i remove the first 16 bytes i get the same output as the TweetNaclFast SecretBox.

string message = "Hello Stack overflow!";
string key = "uCEgauAQDWGDkcclGe1rNV6V77xtizuemhgxzM5nqO4=";
string nonce = "+RTDstWX1Wps5/btQzSMHWBqHU9s6iqq";

byte[] box = Sodium.SecretBox.Create(Encoding.UTF8.GetBytes(message), 
                                             Convert.FromBase64String(nonce), 
                                             Convert.FromBase64String(key));

byte[] boxWithoutAuthenticationTag = new byte[box.Length - 16];
Array.Copy(box, 16, boxWithoutAuthenticationTag, 0, box.Length - 16);
Console.WriteLine(Convert.ToBase64String(boxWithoutAuthenticationTag));

now returns: yDCt/kOLFUWPZpV3deVNUZaH0ZHLVmj9Nvm8QlbVKPe1a/INDw==

To open (decrypt) the first example's secret box use the following code:

string box = "iNEpgwFIo6nyaLNgMpSWqwTQ9Z5y/y+BUXszXVFZ2gP2A3XJ0Q==";
string key = "FKpCo/AhRRUjdQIpzMbZSnnzfBx1e/Ni9VZyNWYEB8E=";
string nonce = "2qngWbMLFVNiPTFqTVO9nsraB8ACIrwV";

try
{
    //Libsodium-net SecretBox.Open() requires a 16 byte authentication tag at the start of the ciphertext
    //TweetNaclFast boxing method does not append a 16 byte authentication tag anywhere
    //Thus, we need to add a 16 byte authentication tag at the start of ciphertext encripted by TweetNaclFast
    byte[] authenticationTag = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; //Zeroed 16 Bytes Authentication Tag
    byte[] tweetNaclFastCiphertextBytes = Convert.FromBase64String(box);
    byte[] libsodiumNetLikeCiphertext = new byte[tweetNaclFastCiphertextBytes.Length + authenticationTag.Length];
    Array.Copy(authenticationTag, libsodiumNetLikeCiphertext, authenticationTag.Length);
    Array.Copy(tweetNaclFastCiphertextBytes, 0, libsodiumNetLikeCiphertext, authenticationTag.Length, tweetNaclFastCiphertextBytes.Length);
    byte[] nonceBytes = Convert.FromBase64String(nonce);
    byte[] keyBytes = Convert.FromBase64String(key);

    Console.WriteLine(Encoding.UTF8.GetString(Sodium.SecretBox.Open(libsodiumNetLikeCiphertext, nonceBytes, keyBytes)));
}
catch (CryptographicException e)
{
    Console.WriteLine(e.Message);
    Console.WriteLine(e.StackTrace);
}

It should now return Hello Stack overflow!

Cannot open "SecretBox" generated by TweetNacl (Java) with "Libsodium-net" (C#)

2 Answers2