I try to decrypt my SmartMeter data and using Gurux DLMS Transfer it works. But since I dont have any Phyton, Java, C... environment/knowledge I try to implement PHP for decryption.
According to the info I found here, encrypted data only needs the block cipher key for decryption.
But the PHP algorithm for GCM needs all parameters (key, IV, tag, AAD) to be set. So after reading the Phyton source code I use the following:
IV(12 bytes) = systemTitle + 0x00 0x00 0x00 0x00 (there is no invocation counter used so always should be 0?)
tag(12 bytes) = 0x00 - 12 times
AAD(16 bytes) = authentication key = xD0 xD1 ... xDF (default values?)
For the encrypted data I use the CipheredService Value from DLMS Transfer output.
But decryption does not work. So can anybody tell me what I am doing wrong with above used parameters?
Ciphering can be a really pain. If one of the bytes is wrong it's not working.
I have to say that the easier way is if you can use Gurux DLMS Python library and call it from PHP.
Even if you can decrypt the data, you'll have to convert DLMS messages to.
Your IV looks correct. I don't know the other keys.
Converting the decrypted DLMS message is easy, but decrypting… That's why I try to find out where I use the wrong values - especially the ciphertext and the tag.
1) Is it correct to use the CipheredService Value from DLMS Transfer output as the ciphertext? After the systemTitle the frame data excluding the CRC has 96 bytes, but the CipheredService Value has the first byte missing for example.
2) I read, that the tag is part of the encrpyted data (appended?). Don't know if this is true for security.ENCRYPTION. So not sure about my used tag = 0x00, or if it's the last 12 bytes of the ciphertext?
Ok, found some more Information in the green book. Therefore the CipheredService Value from DLMS Transfer includes the security control byte and the invocation counter followed by the ciphertext. AAD should be NULL in encryption only mode.
Gonna make some more tries with this additional info…
If I encrypt the (with DLMSTranslator) decrypted message pith PHP I receive the original SmartMeter encrypted ciphertext AND a 16-byte tag value (which is not part/suffix of the ciphertext). With this tag I can decrypt the original encrypted message with PHP.
But in the NIST Special Publication 800-38D, GCM is defined as an authenticated en-/decryption algorithm and not as an encryption-only function?!
So my question is, does your code calculate the tag during decryption for security.ENCRYPTION mode by itsself or am I missing something?
You didnt quite answer my question. According to NIST specification, GCM = authenticated encryption, GMAC = authentication only. So if SmartMeters use encryption only according to the Green Book, it's no official AES-GCM mode? So, does GXDLMS calculate an authentication tag hardcoded for this security mode or is there an official encryption-only specification somewhere outside the Green Book to get some more infos?
All the meters that our clients are reading are using authentication and encryption to secure the communication channel. Encryption only is defined on the DLMS standard, but I don't know any meter that uses it.
The authentication tag is used when GMAC authentication is used and GXDLMS count that tag. We have used only Green Book and NIST doc:
Encryption only can be used for the end-consumer (P1) interface on Siemens Smart Meters for example.
The final solution is easy: AES GCM = AES CTR + authTag
IV for CTR = GCM IV + 4-byte counter increased by 1 for calculating the authentication tag and 1 for encryption (assuming a 12 byte GCM IV)
So encryption only messages according to DLMS standard can be decrypted using AES CTR mode, using 12-byte GCM IV + 0x00000002
Thanks for this information, Harry. It's interesting to know that Simens is not using an authentication tag. I believe that the invocation counter value is coming as part of the message and you don't need to increase it.
What could Security Control Byte of value "20" mean? This is binary 0010 0000.
Greenbook mentions only bits 4 (auth), 5 (enc) and 7 (compress) to be relevant.
Hi harricane, I looked at your description some time. Can you help transforming this into an example:
Asume the encrypted payload is "20 11 22 33 44 ee ee ee ee ee ee ee ee ee ee ee ee ee" whereas security-byte = "20", followed by 4 bytes for "nonce", after that all the "ee" are ciphertext, and I am note sure if the payload ends with an auth-tag.
SystemTitle is "55 55 55 55 55 55 55 55" and my power company gave only an encryption key with 16 bytes "cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc". I did not get an auth-key.
Security byte = "20" means security suite 0 and encryption-only (according to the info from Kurumi)
How to correctly decode that payload and what encryption mode (ctr, gcm) I need to use?
Decode with aes-128-ctr using key and iv=55555555555555551122334400000002?
You need to know from your smart meter provider, which encryption mode is used! If it is AES GCM you can use AES CTR like me. Your example would be correct so far then, just take into account that after the ciphertext the package ends with a 2-byte CRC-check followed by 7E. Don't include that into your decryption, since it's not part of the ciphertext.
Hi,
Hi,
Ciphering can be a really pain. If one of the bytes is wrong it's not working.
I have to say that the easier way is if you can use Gurux DLMS Python library and call it from PHP.
Even if you can decrypt the data, you'll have to convert DLMS messages to.
Your IV looks correct. I don't know the other keys.
BR,
Mikko
Hi Mikko.
Hi Mikko.
Converting the decrypted DLMS message is easy, but decrypting… That's why I try to find out where I use the wrong values - especially the ciphertext and the tag.
1) Is it correct to use the CipheredService Value from DLMS Transfer output as the ciphertext? After the systemTitle the frame data excluding the CRC has 96 bytes, but the CipheredService Value has the first byte missing for example.
2) I read, that the tag is part of the encrpyted data (appended?). Don't know if this is true for security.ENCRYPTION. So not sure about my used tag = 0x00, or if it's the last 12 bytes of the ciphertext?
Kind regards,
Harry
Ok, found some more
Ok, found some more Information in the green book. Therefore the CipheredService Value from DLMS Transfer includes the security control byte and the invocation counter followed by the ciphertext. AAD should be NULL in encryption only mode.
Gonna make some more tries with this additional info…
Kind regards,
Harry
Hi Harry,
Hi Harry,
I'm glad if you solved this. It's quite well explained in Green Book.
BR,
Mikko
Well, not fully solved:
Well, not fully solved:
If I encrypt the (with DLMSTranslator) decrypted message pith PHP I receive the original SmartMeter encrypted ciphertext AND a 16-byte tag value (which is not part/suffix of the ciphertext). With this tag I can decrypt the original encrypted message with PHP.
But in the NIST Special Publication 800-38D, GCM is defined as an authenticated en-/decryption algorithm and not as an encryption-only function?!
So my question is, does your code calculate the tag during decryption for security.ENCRYPTION mode by itsself or am I missing something?
greetings,
Harry
Hi,
Hi,
There are some differences between programming languages. With some languages, we need to count it.
BR,
Mikko
Hi Mikko.
Hi Mikko.
You didnt quite answer my question. According to NIST specification, GCM = authenticated encryption, GMAC = authentication only. So if SmartMeters use encryption only according to the Green Book, it's no official AES-GCM mode? So, does GXDLMS calculate an authentication tag hardcoded for this security mode or is there an official encryption-only specification somewhere outside the Green Book to get some more infos?
thanks,
Harry
Hi Harry,
Hi Harry,
All the meters that our clients are reading are using authentication and encryption to secure the communication channel. Encryption only is defined on the DLMS standard, but I don't know any meter that uses it.
The authentication tag is used when GMAC authentication is used and GXDLMS count that tag. We have used only Green Book and NIST doc:
http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
BR,
Mikko
Encryption only can be used
Encryption only can be used for the end-consumer (P1) interface on Siemens Smart Meters for example.
The final solution is easy: AES GCM = AES CTR + authTag
IV for CTR = GCM IV + 4-byte counter increased by 1 for calculating the authentication tag and 1 for encryption (assuming a 12 byte GCM IV)
So encryption only messages according to DLMS standard can be decrypted using AES CTR mode, using 12-byte GCM IV + 0x00000002
Thanks for your input, Mikko!
Harry
Hi,
Hi,
Thanks for this information, Harry. It's interesting to know that Simens is not using an authentication tag. I believe that the invocation counter value is coming as part of the message and you don't need to increase it.
BR,
Mikko
Hi
Hi
is there any source code for php you can provide?
regards
Stefan
Hi Stefan,
Hi Stefan,
PHP is not supported at the moment, but you can call python or java library from the PHP.
BR,
Mikko
Hi Stefan.
Hi Stefan.
The source code for doing what?
The decryption via PHP can be done with openssl_decrypt($encryptedStr, 'aes-128-ctr', $key, 0, $iv);
Harry
What could Security Control
What could Security Control Byte of value "20" mean? This is binary 0010 0000.
Greenbook mentions only bits 4 (auth), 5 (enc) and 7 (compress) to be relevant.
Hi,
Hi,
DLMS is a very complicated protocol and decrypting the data is just a good start.
BR,
Mikko
Hi,
Hi,
0x20 means that Encryption is used and Security Suite version is zero.
BR,
Mikko
Hi hurricane, I looked at
Hi harricane, I looked at your description some time. Can you help transforming this into an example:
Asume the encrypted payload is "20 11 22 33 44 ee ee ee ee ee ee ee ee ee ee ee ee ee" whereas security-byte = "20", followed by 4 bytes for "nonce", after that all the "ee" are ciphertext, and I am note sure if the payload ends with an auth-tag.
SystemTitle is "55 55 55 55 55 55 55 55" and my power company gave only an encryption key with 16 bytes "cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc". I did not get an auth-key.
Security byte = "20" means security suite 0 and encryption-only (according to the info from Kurumi)
How to correctly decode that payload and what encryption mode (ctr, gcm) I need to use?
Decode with aes-128-ctr using key and iv=55555555555555551122334400000002?
Hi Pocki.
Hi Pocki.
You need to know from your smart meter provider, which encryption mode is used! If it is AES GCM you can use AES CTR like me. Your example would be correct so far then, just take into account that after the ciphertext the package ends with a 2-byte CRC-check followed by 7E. Don't include that into your decryption, since it's not part of the ciphertext.
kind regards