DLMS Decryption Implementation Status and Clarification Needed

By ERAIYARUL K , 7 July, 2025
Forums
Gurux.DLMS

Hi All,

I’ve implemented decryption logic using Gurux DLMS in both Python and C# for handling secured DLMS/COSEM communication. Below is a summary of the work done along with current observations and questions.

Python Implementation:

try:
logging.info(
f"\n ------------------- >> >> >> >> >> >> >> \n IsCiper - {isCipherRequirement} InterfaceType - {interfaceType} \n Data - {inputData} \n "
f"AuthKey - {authenticationKey} BlockKey - {blockCipherKey} \n "
f"sysTitle - {systemTitle} SourceSysTitle - {sourceSystemTitle} \n pwd - {meterPassword} \n "
f"-- -- -- -- -- -- -- -- -- ")
data = None
hex_data = inputData
authenticationKey = authenticationKey.encode().hex().upper()
blockCipherKey = blockCipherKey.encode().hex().upper()
obisCode = "0.0.96.1.2.255"
client = GXDLMSSecureClient(True)
# India
client.standard = 1
# Wrapper 1
client.interfaceType = interfaceType

# password
client.password = meterPassword
# systemTitle
client.ciphering.systemTitle = GXByteBuffer.hexToBytes(systemTitle)
# authenticationKey
client.ciphering.authenticationKey = GXByteBuffer.hexToBytes(authenticationKey)
# blockCipherKey
client.ciphering.blockCipherKey = GXByteBuffer.hexToBytes(blockCipherKey)
client.settings.sourceSystemTitle = GXByteBuffer.hexToBytes(sourceSystemTitle)
# Client Address
# client.clientAddress = 48
media = GXNet()
ass_file = "associationView.xml"
invocationCounter = "0.0.43.1.3.255"
trace = 0x4
# Authentication Type - high 2
client.authentication = 2
# Client Address
client.clientAddress = 48
# Security Type - AUTHENTICATION_ENCRYPTION
client.ciphering.security = 0x30
# client.ciphering.dedicatedKey = GXByteBuffer.hexToBytes("01 58")
if dedicatedKey is not None:
client.ciphering.dedicatedKey = GXByteBuffer.hexToBytes(dedicatedKey)

reader = GXDLMSReader(client, media, trace, invocationCounter, hex_data, None) => Client.Getdata(hex_data,reply,notify);

C# Implementation

GXDLMSSecureClient dlms3 = new GXDLMSSecureClient();
dlms3.ServerAddress = 1;
dlms3.ClientAddress = 48;
dlms3.Authentication = Authentication.None;
dlms3.Password = GXCommon.HexToBytes("xxxxxxx");
dlms3.Ciphering.Security = Security.AuthenticationEncryption;
dlms3.Standard = Standard.India;
dlms3.UseLogicalNameReferencing = (true);
dlms3.Ciphering.RecipientSystemTitle = GXCommon.HexToBytes("aaaaaaaaaa");
dlms3.Ciphering.SystemTitle = GXCommon.HexToBytes("bbbbbbbbbbbb");
dlms3.Ciphering.BlockCipherKey = GXCommon.HexToBytes("30 30 30 30 30");
dlms3.Ciphering.AuthenticationKey = GXCommon.HexToBytes("30 30 30 30 ");
dlms3.Ciphering.DedicatedKey = GXCommon.HexToBytes("78799779797");
byte[] rawData = GXCommon.HexToBytes("11 22 ab ......");
dlms3.InterfaceType = (InterfaceType.WRAPPER);

GXByteBuffer buffer = new GXByteBuffer(rawData);
GXReplyData reply = new GXReplyData();
GXReplyData noti = new GXReplyData();

var d = dlms3.GetData(rawData, reply,noti);

Error :
Gurux.DLMS.GXDLMSCipherException: 'Decrypt failed. Invalid authentication tag.'.

This exception was originally thrown at this call stack:
Gurux.DLMS.Secure.GXGMac.Decrypt(byte[], byte, Gurux.DLMS.GXDLMSTranslatorStructure) in GXGMac.cs
Gurux.DLMS.Secure.GXSecure.DecryptAesGcm(Gurux.DLMS.Secure.AesGcmParameter, Gurux.DLMS.GXByteBuffer) in GXSecure.cs
Gurux.DLMS.Secure.GXCiphering.Decrypt(Gurux.DLMS.Secure.AesGcmParameter, Gurux.DLMS.GXByteBuffer) in GXCiphering.cs
Gurux.DLMS.GXDLMS.HandleGloDedResponse(Gurux.DLMS.GXDLMSSettings, Gurux.DLMS.GXReplyData, int) in GXDLMS.cs
Gurux.DLMS.GXDLMS.GetPdu(Gurux.DLMS.GXDLMSSettings, Gurux.DLMS.GXReplyData) in GXDLMS.cs
Gurux.DLMS.GXDLMS.GetData(Gurux.DLMS.GXDLMSSettings, Gurux.DLMS.GXByteBuffer, Gurux.DLMS.GXReplyData, Gurux.DLMS.GXReplyData) in GXDLMS.cs
Gurux.DLMS.GXDLMSClient.GetData(Gurux.DLMS.GXByteBuffer, Gurux.DLMS.GXReplyData, Gurux.DLMS.GXReplyData) in GXDLMSClient.cs

Note: The encrypted DLMS data is being sourced via the GXDLMSTranslator.

Questions for Clarification:

1) Code Validation: Is there anything that looks incorrect or misconfigured in the current decryption logic as per Gurux DLMS expectations?

2) Single Decryption: What is the correct approach to decrypt a single ded_GetResponse value directly using GXDLMSSecureClient in C#?

3) Bulk Decryption: Is it possible to decrypt multiple encrypted data entries in a loop (as an array of hex strings) using the same client configuration, or does anything need to be reinitialized per entry?

To better understand the correct implementation approach, could you kindly provide a sample C# code

ERAIYARUL K

11 months ago

Hi Kurumi,

Title: DLMS RX Data Decryption Issue - Gurux Library

Summary:
I trying to decrypt RX data from a meter using the Gurux.DLMS library with `GXDLMSSecureClient`.
Some data (like deviceId and instantaneous readings) decrypt successfully, but other data fails to decrypt.

Environment:
- .NET 8.0
- Gurux.Common version 8.4.2503.601
- Gurux.DLMS version 9.0.2506.2602

Code Snippet:
```
GXDLMSSecureClient dlms3 = new GXDLMSSecureClient(true);
GXByteBuffer buffer = new GXByteBuffer(RX Value);
GXReplyData reply = new GXReplyData();
GXReplyData noti = new GXReplyData();
var decryptedData = dlms3.GetData(buffer, reply, noti);
```
Error :

at Gurux.DLMS.Secure.GXGMac.Decrypt(Byte[] data, Byte tag, GXDLMSTranslatorStructure xml)
at Gurux.DLMS.Secure.GXSecure.DecryptAesGcm(AesGcmParameter p, GXByteBuffer data)
at Gurux.DLMS.Secure.GXCiphering.Decrypt(AesGcmParameter p, GXByteBuffer data)
at Gurux.DLMS.GXDLMS.HandleGloDedResponse(GXDLMSSettings settings, GXReplyData data, Int32 index)
at Gurux.DLMS.GXDLMS.GetPdu(GXDLMSSettings settings, GXReplyData data)
at Gurux.DLMS.GXDLMS.GetData(GXDLMSSettings settings, GXByteBuffer reply, GXReplyData data, GXReplyData notify)
at Gurux.DLMS.GXDLMSClient.GetData(GXByteBuffer reply, GXReplyData data, GXReplyData notify)
at TEST.AREA.DlmsReader.ReadDLMSPacket(Byte[] data, GXReplyData reply) in D:\RnDproject\TEST.AREA\TEST.AREA\DlmsReader.cs:line 34

And I double -check the credentials and RX value . Same data are decrypting in Translators.

Input :
Credentials and RX value .
Expecting output :
[23040, 0, 0, 0, 1, 22, 6185, true, 15] --- Buffer Value .

Kurumi

11 months ago

Hi,

Connect to your meter with GXDLMSDirector. When you select the meter, is will show correct command line arguments. You can then connect to your meter with the client example that I shared earlier.

There are a lot of parameters, and if one of them is different from what the meter expects, the connection fails.

BR,
Mikko

ERAIYARUL K

11 months ago

Thanks For Response,
Sir , Meter Communication is done. Last few years are working on our Gurux Communication Protocol.

Note -
1) Device sends the specific RX value (like Instantaneous Attribute capture object and buffer value etc...)
2) I have command line arguments in Cache. (like systemTitle,serverSystemTitle, blockCipherKey, authenticationKey, dedicatedKey,Standard,InterfaceType,ClientAddress,ServerAddress,Authentication,Password,Security, SecuritySuite etc....)

Process:
1)The correct command line arguments are parsed and create the GXDLMSClient objects well.
2) call the GetData function and map it with the RX value .
3) In High Authentication few data are decrypting like Instantaneous , DeviceId etc..., Other datas i got this error - "Decrypt failed.Invalid authentication tag. ".
4) My Task is to decrypt RX data by meter Credentials.

Kurumi

10 months 3 weeks ago

Hi,

Decrypt failed. An invalid authentication tag error means that your block cipher and/or authentication key are wrong. You need to set the correct keys.

BR,
Mikko