AES 256 GCM with IV vector - Encryption outside Singlestore DB and Decryption inside Singlestore

baskar.sks · June 29, 2023, 4:50am

Hi,

I am on version 7.9.X and using AES 256 GCM method of encryption with IV vector for encrypting data outside singlestore using java code.

public static String encrypt(final String plainText, final String encryptionKey) {
		try {
			final Cipher cipher = Cipher.getInstance(CIPHER_TRANSFORMATION);
			final byte[] key = encryptionKey.getBytes(CHARACTER_ENCODING);
			final SecretKey secretKey = new SecretKeySpec(key, AES_ENCRYPTION_ALGORITHM);

			// Generate a random nonce (IV)
			byte[] nonce = new byte[GCM_NONCE_LENGTH];
			SecureRandom secureRandom = new SecureRandom();
			secureRandom.nextBytes(nonce);
			
			// Initialize the cipher with GCM parameters
			GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, nonce);
			cipher.init(Cipher.ENCRYPT_MODE, secretKey, gcmParameterSpec);

			final byte[] cipherText = cipher.doFinal(plainText.getBytes(StandardCharsets.UTF_8));

			// Encode the IV and ciphertext as Base64
			final Base64.Encoder encoder = Base64.getEncoder();
			String encodedIV = encoder.encodeToString(nonce);
			String encodedCiphertext = encoder.encodeToString(cipherText);

			// Concatenate the IV and ciphertext
			return encodedIV + ":" + encodedCiphertext;
		} catch (final Exception e) {
			LOGGER.info("An error occurred in encrypt method. Exception message is '{}'", e.getMessage());
			throw new RuntimeException(e);
		}
	}

It returns base64 encoded dynamic IV vector and the base64 encoded encrypted text.

Getting NULL when trying to decrypt inside singlestore using the query below.

SELECT AES_DECRYPT(BASE_64('DUTJdkWfcjGQS73u6DQe/9fCYg2edr71dOBtDTjvBC4T1NUFYojN'), 'A1A2A3A4A5A6CAFE',BASE_64( '+pYvqdmYAjBS6N43'), 'aes-256-gcm'):>TEXT;

hanson · June 30, 2023, 10:24pm

Looks like you are trying to decrypt with a key that is different from what was used to encrypt. Or maybe your BASE_64 function is returning NULL. E.g.

singlestore> select aes_decrypt('foo','bar', null, 'aes-256-gcm');
+-----------------------------------------------+
| aes_decrypt('foo','bar', null, 'aes-256-gcm') |
+-----------------------------------------------+
| NULL                                          |
+-----------------------------------------------+
1 row in set (0.06 sec)

singlestore> set @key = 'bar';
Query OK, 0 rows affected (0.02 sec)

singlestore> set @ct = aes_encrypt('foo', @key, null, 'aes-256-gcm');
Query OK, 0 rows affected (0.01 sec)

singlestore> select aes_decrypt(@ct, @key, null, 'aes-256-gcm');
+---------------------------------------------+
| aes_decrypt(@ct, @key, null, 'aes-256-gcm') |
+---------------------------------------------+
| foo                                         |
+---------------------------------------------+
1 row in set (0.00 sec)