PHP AES-128-GCM

15 posts / 0 new
Last post
harricane
PHP AES-128-GCM

Hi.

I try to decrypt my SmartMeter data and using Gurux DLMS Transfer it works. But since I dont have any Phyton, Java, C... environment/knowledge I try to implement PHP for decryption.
According to the info I found here, encrypted data only needs the block cipher key for decryption.
But the PHP algorithm for GCM needs all parameters (key, IV, tag, AAD) to be set. So after reading the Phyton source code I use the following:
IV(12 bytes) = systemTitle + 0x00 0x00 0x00 0x00 (there is no invocation counter used so always should be 0?)
tag(12 bytes) = 0x00 - 12 times
AAD(16 bytes) = authentication key = xD0 xD1 ... xDF (default values?)
For the encrypted data I use the CipheredService Value from DLMS Transfer output.
But decryption does not work. So can anybody tell me what I am doing wrong with above used parameters?

thanks,
Harry

Kurumi
Kurumi's picture

Hi,

Ciphering can be a really pain. If one of the bytes is wrong it's not working.
I have to say that the easier way is if you can use Gurux DLMS Python library and call it from PHP.
Even if you can decrypt the data, you'll have to convert DLMS messages to.

Your IV looks correct. I don't know the other keys.

BR,

Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

harricane

Hi Mikko.

Converting the decrypted DLMS message is easy, but decrypting… That's why I try to find out where I use the wrong values - especially the ciphertext and the tag.
1) Is it correct to use the CipheredService Value from DLMS Transfer output as the ciphertext? After the systemTitle the frame data excluding the CRC has 96 bytes, but the CipheredService Value has the first byte missing for example.
2) I read, that the tag is part of the encrpyted data (appended?). Don't know if this is true for security.ENCRYPTION. So not sure about my used tag = 0x00, or if it's the last 12 bytes of the ciphertext?

Kind regards,
Harry

harricane

Ok, found some more Information in the green book. Therefore the CipheredService Value from DLMS Transfer includes the security control byte and the invocation counter followed by the ciphertext. AAD should be NULL in encryption only mode.
Gonna make some more tries with this additional info…

Kind regards,
Harry

Kurumi
Kurumi's picture

Hi Harry,

I'm glad if you solved this. It's quite well explained in Green Book.

BR,
Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

harricane

Well, not fully solved:

If I encrypt the (with DLMSTranslator) decrypted message pith PHP I receive the original SmartMeter encrypted ciphertext AND a 16-byte tag value (which is not part/suffix of the ciphertext). With this tag I can decrypt the original encrypted message with PHP.
But in the NIST Special Publication 800-38D, GCM is defined as an authenticated en-/decryption algorithm and not as an encryption-only function?!
So my question is, does your code calculate the tag during decryption for security.ENCRYPTION mode by itsself or am I missing something?

greetings,
Harry

Kurumi
Kurumi's picture

Hi,

There are some differences between programming languages. With some languages, we need to count it.

BR,
Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

harricane

Hi Mikko.

You didnt quite answer my question. According to NIST specification, GCM = authenticated encryption, GMAC = authentication only. So if SmartMeters use encryption only according to the Green Book, it's no official AES-GCM mode? So, does GXDLMS calculate an authentication tag hardcoded for this security mode or is there an official encryption-only specification somewhere outside the Green Book to get some more infos?

thanks,
Harry

Kurumi
Kurumi's picture

Hi Harry,

All the meters that our clients are reading are using authentication and encryption to secure the communication channel. Encryption only is defined on the DLMS standard, but I don't know any meter that uses it.

The authentication tag is used when GMAC authentication is used and GXDLMS count that tag. We have used only Green Book and NIST doc:

http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

BR,
Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

harricane

Encryption only can be used for the end-consumer (P1) interface on Siemens Smart Meters for example.
The final solution is easy: AES GCM = AES CTR + authTag
IV for CTR = GCM IV + 4-byte counter increased by 1 for calculating the authentication tag and 1 for encryption (assuming a 12 byte GCM IV)
So encryption only messages according to DLMS standard can be decrypted using AES CTR mode, using 12-byte GCM IV + 0x00000002

Thanks for your input, Mikko!
Harry

Kurumi
Kurumi's picture

Hi,

Thanks for this information, Harry. It's interesting to know that Simens is not using an authentication tag. I believe that the invocation counter value is coming as part of the message and you don't need to increase it.

BR,
Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

steve_cz

Hi

is there any source code for php you can provide?

regards
Stefan

Kurumi
Kurumi's picture

Hi Stefan,

PHP is not supported at the moment, but you can call python or java library from the PHP.

BR,
Mikko

________________________________________
Mikko Kurunsaari
Gurux Ltd
http://www.gurux.fi

harricane

Hi Stefan.

The source code for doing what?
The decryption via PHP can be done with openssl_decrypt($encryptedStr, 'aes-128-ctr', $key, 0, $iv);

Harry

pocki

What could Security Control Byte of value "20" mean? This is binary 0010 0000.
Greenbook mentions only bits 4 (auth), 5 (enc) and 7 (compress) to be relevant.