Android AES в режиме счетчика с 256-битным ключом

Наша команда шифрует данные на основе фрагмента кода Javascript, следите за этой страницей и здесь

теперь мне нужно расшифровать данные с помощью java на моих мобильных устройствах.

На странице написано:

Ключ в этом сценарии получается путем применения процедуры шифрования для шифрования первых 16/24/32 символов пароля (для 128-/192-/256-битных ключей) для создания ключа. Это удобный способ получить безопасный ключ в полностью автономном сценарии (в производственной среде, в отличие от этого учебного кода, ключ может быть сгенерирован как хэш, например, просто ключ = Sha256 (пароль)). Более подробно, предоставленный пароль преобразуется в UTF-8 (чтобы быть безопасным по байтам), затем первые 16/24/32 символа преобразуются в байты. Полученный pwBytes используется в качестве начального значения для Aes.keyExpansion(), который затем используется в качестве ключа для шифрования pwBytes с помощью Aes.cipher(). Примеры ключей, сгенерированных таким образом из (нереально) простых `

Итак, я думаю, что застрял при создании ключа с использованием пароля

Вот мой тестовый пример:

  • Оригинальный текст: Today
  • Пароль: aa2145f9e2a5daaa9c6a8ddc5f5c1a39
  • Фактический результат j��

Они не используют ключ дважды, они каждый раз используют случайный вектор инициализации (IV), поэтому результаты разные.


private static String decrypt(SecretKey aesKey, String encodedCiphertext) {
    try {
        // that's no base 64, that's base 64 over the UTF-8 encoding of the code points
        byte[] ciphertext = jsBase64Decode(encodedCiphertext);
        Cipher aesCTR = Cipher.getInstance("AES/CTR/NOPADDING");
        int n = aesCTR.getBlockSize();
        byte[] counter = new byte[n];
        int nonceSize = n / 2;
        System.arraycopy(ciphertext, 0, counter, 0, nonceSize);
        IvParameterSpec iv = new IvParameterSpec(counter);
        aesCTR.init(Cipher.DECRYPT_MODE, aesKey, iv);
        byte[] plaintext = aesCTR.doFinal(ciphertext, nonceSize, ciphertext.length - nonceSize);
        return new String(plaintext, "UTF-8");
    } catch (Exception e) {
    return "";

private static byte[] jsBase64Decode(String encodedCiphertext) {
    byte[] ciphertext = null;
    try {
        byte[] utf8CT = Base64.decode(encodedCiphertext);

        String cts = new String(utf8CT, "UTF-8");
        ciphertext = new byte[cts.length()];
        for (int i = 0; i < cts.length(); i++) {
            ciphertext[i] = (byte) (cts.charAt(i) & 0xFF);

    }catch (Exception e) {
    //Arrays.copyOfRange(new byte[100], 0, 99);
    return ciphertext;

// that should not be a singleton lazybones, it may contain state
private static SecretKey deriveKey(String password, int nBits) throws CharacterCodingException {
    try {
        Charset charset = Charset.forName("UTF-8");
        CharsetEncoder encoder = charset.newEncoder();

        ByteBuffer buf = encoder.encode(CharBuffer.wrap(password));
        //byte[] buf1 = password.getBytes();
        int nBytes = nBits / Byte.SIZE; // bits / Byte.SIZE;
        Cipher aesECB = Cipher.getInstance("AES/ECB/NoPadding");
        int n = aesECB.getBlockSize();
        byte[] pwBytes = new byte[nBytes];
        // so we only use those characters that fit in nBytes! oops!
        buf.get(pwBytes, 0, buf.remaining());
        //pwBytes = password.getBytes("UTF-8");
        SecretKey derivationKey = new SecretKeySpec(pwBytes, "AES");
        aesECB.init(Cipher.ENCRYPT_MODE, derivationKey);
        // and although the derivationKey is nBytes in size, we only encrypt 16 (the block size)
        byte[] partialKey = aesECB.doFinal(pwBytes, 0, n);
        byte[] key = new byte[nBytes];
        System.arraycopy(partialKey, 0, key, 0, n);
        // but now we have too few so we *copy* key bytes
        // so only the increased number of rounds is configured using nBits
        System.arraycopy(partialKey, 0, key, n, nBytes - n);
        SecretKey derivatedKey = new SecretKeySpec(key, "AES");
        return derivatedKey;
    } catch (Exception e) {
        throw new IllegalStateException("Key derivation should always finish", e);

public static String main(){

    SecretKey key = null;
    try {
        key = deriveKey("aa2145f9e2a5daaa9c6a8ddc5f5c1a39", 256);

    } catch (Exception e) {
    // ciphertext may vary in length depending on UTF-8 encoding
    String pt = decrypt(key, "eQDH+srPqlbh7Ml42g==");
    return pt;



Я сам портировал. Спасибо в любом случае.

Пишите сюда для тех, кто хочет сделать как я

 * Created by luu on 1/28/2016.
public class AES {

// sBox is pre-computed multiplicative inverse in GF(2^8) used in subBytes and keyExpansion [§5.1.1]
private static final int[] sBox =  new int[]{

// rCon is Round Constant used for the Key Expansion [1st col is 2^(r-1) in GF(2^8)] [§5.2]
private static final int[][] rCon = new int[][]{
        new int[]{0x00, 0x00, 0x00, 0x00},//0
        new int[]{0x01, 0x00, 0x00, 0x00},//1
        new int[]{0x02, 0x00, 0x00, 0x00},//2
        new int[]{0x04, 0x00, 0x00, 0x00},//3
        new int[]{0x08, 0x00, 0x00, 0x00},//4
        new int[]{0x10, 0x00, 0x00, 0x00},//5
        new int[]{0x20, 0x00, 0x00, 0x00},//6
        new int[]{0x40, 0x00, 0x00, 0x00},//7
        new int[]{0x80, 0x00, 0x00, 0x00},//8
        new int[]{0x1b, 0x00, 0x00, 0x00},//9
        new int[]{0x36, 0x00, 0x00, 0x00}//10

 * AES Cipher function: encrypt 'input' state with Rijndael algorithm [§5.1];
 *   applies Nr rounds (10/12/14) using key schedule w for 'add round key' stage.
 * @param   {number[]}   input - 16-byte (128-bit) input state array.
 * @param   {number[][]} w - Key schedule as 2D byte-array (Nr+1 x Nb bytes).
 * @returns {number[]}   Encrypted output state array.
private static int[] cipher (int[] input, int[][] w) {
    int Nb = 4;               // block size (in words): no of columns in state (fixed at 4 for AES)
    int Nr = w.length / Nb - 1; // no of rounds: 10/12/14 for 128/192/256-bit keys

    int[][] state = new int[4][];//  [[],[],[],[]];  // initialise 4xNb byte-array 'state' with input [§3.4]
    for (int i = 0; i < 4 * Nb; i++)
        if (state[i % 4] == null)
            state[i % 4] = new int[4];
        state[i % 4][(int)Math.floor((double) i / 4)] = input[i];

    state = addRoundKey(state, w, 0, Nb);

    for (int round = 1; round < Nr; round++)
        state = subBytes(state, Nb);
        state = shiftRows(state, Nb);
        state = mixColumns(state, Nb);
        state = addRoundKey(state, w, round, Nb);

    state = subBytes(state, Nb);
    state = shiftRows(state, Nb);
    state = addRoundKey(state, w, Nr, Nb);

    int[] output = new int[4 * Nb];  // convert state to 1-d array before returning [§3.4]
    for (int i = 0; i < 4 * Nb; i++)
        output[i] = state[i % 4][(int)Math.floor((double) i / 4)];

    return output;

 * Perform key expansion to generate a key schedule from a cipher key [§5.2].
 * @param   {number[]}   key - Cipher key as 16/24/32-byte array.
 * @returns {number[][]} Expanded key schedule as 2D byte-array (Nr+1 x Nb bytes).
private static int[][] keyExpansion (int[] key) {
    int Nb = 4;            // block size (in words): no of columns in state (fixed at 4 for AES)
    int Nk = key.length / 4; // key length (in words): 4/6/8 for 128/192/256-bit keys
    int Nr = Nk + 6;       // no of rounds: 10/12/14 for 128/192/256-bit keys

    int[][] w = new int[Nb * (Nr + 1)][Nb];
    int[] temp = new int[4];

    // initialise first Nk words of expanded key with cipher key
    for (int i = 0; i < Nk; i++) {
        int[] r = new int[] { key[4 * i], key[4 * i + 1], key[4 * i + 2], key[4 * i + 3] };
        w[i] = r;

    // expand the key into the remainder of the schedule
    for (int i = Nk; i < (Nb * (Nr + 1)); i++) {
        w[i] = new int[4];
        for (int t = 0; t < 4; t++) temp[t] = w[i - 1][t];
        // each Nk'th word has extra transformation
        if (i % Nk == 0) {
            temp = subWord(rotWord(temp));
            for (int t = 0; t < 4; t++) temp[t] ^= rCon[i / Nk][t];
        // 256-bit key has subWord applied every 4th word
        else if (Nk > 6 && i % Nk == 4) {
            temp = subWord(temp);
        // xor w[i] with w[i-1] and w[i-Nk]
        for (int t = 0; t < 4; t++)
            w[i][t] = (w[i - Nk][t] ^ temp[t]);

    return w;

 * Apply SBox to state S [§5.1.1]
 * @private
private static int[][] subBytes (int[][] s, int Nb) {
    for (int r = 0; r < 4; r++) {
        for (int c = 0; c < Nb; c++) s[r][c] = sBox[s[r][c]];
    return s;

 * Shift row r of state S left by r bytes [§5.1.2]
 * @private
private static int[][] shiftRows (int[][] s, int Nb) {
    int[] t = new int[4];
    for (int r = 1; r < 4; r++) {
        for (int c = 0; c < 4; c++) t[c] = s[r][(c + r) % Nb];  // shift into temp copy
        for (int c = 0; c < 4; c++) s[r][c] = t[c];         // and copy back
    }          // note that this will work for Nb=4,5,6, but not 7,8 (always 4 for AES):
    return s;  // see

 * Combine bytes of each col of state S [§5.1.3]
 * @private
private static int[][] mixColumns (int[][] s, int Nb) {
    for (int c = 0; c < 4; c++) {
        int[] a = new int[4];  // 'a' is a copy of the current column from 's'
        int[] b = new int[4];  // 'b' is a•{02} in GF(2^8)
        for (int i = 0; i < 4; i++)
            a[i] = s[i][c];
            b[i] = (s[i][c] & 0x80) > 0 ? (s[i][c] << 1 ^ 0x011b) : (s[i][c] << 1);
        // a[n] ^ b[n] is a•{03} in GF(2^8)
        s[0][c] = (b[0] ^ a[1] ^ b[1] ^ a[2] ^ a[3]); // {02}•a0 + {03}•a1 + a2 + a3
        s[1][c] = (a[0] ^ b[1] ^ a[2] ^ b[2] ^ a[3]); // a0 • {02}•a1 + {03}•a2 + a3
        s[2][c] = (a[0] ^ a[1] ^ b[2] ^ a[3] ^ b[3]); // a0 + a1 + {02}•a2 + {03}•a3
        s[3][c] = (a[0] ^ b[0] ^ a[1] ^ a[2] ^ b[3]); // {03}•a0 + a1 + a2 + {02}•a3
    return s;

 * Xor Round Key into state S [§5.1.4]
 * @private
private static int[][] addRoundKey (int[][] state, int[][] w, int rnd, int Nb) {
    for (int r = 0; r < 4; r++) {
        for (int c = 0; c < Nb; c++) state[r][c] ^= w[rnd * 4 + c][r];
    return state;

 * Apply SBox to 4-byte word w
 * @private
private static int[] subWord (int[] w) {
    for (int i = 0; i < 4; i++) w[i] = sBox[w[i]];
    return w;

 * Rotate 4-byte word w left by one byte
 * @private
private static int[] rotWord (int[] w) {
    int tmp = w[0];
    for (int i = 0; i < 3; i++) w[i] = w[i + 1];
    w[3] = tmp;
    return w;

 * Decrypt a text encrypted by AES in counter mode of operation
 * @param   {string} ciphertext - Source text to be encrypted.
 * @param   {string} password - Password to use to generate a key.
 * @param   {number} nBits - Number of bits to be used in the key; 128 / 192 / 256.
 * @returns {string} Decrypted text
 * @example
 *   var decr = Aes.Ctr.encrypt('lwGl66VVwVObKIr6of8HVqJr', 'pāşšŵōřđ', 256); // decr: 'big secret'
public static String decrypt(String ciphertext, String password, int nBits) throws Exception{
    String plaintext = "";
    //try {
        int blockSize = 16;  // block size fixed at 16 bytes / 128 bits (Nb=4) for AES
        if (!(nBits == 128 || nBits == 192 || nBits == 256))
            return ""; // standard allows 128/192/256 bit keys

        ciphertext = base64Decoder(ciphertext);
        password = UTF8Encode(password);

        // use AES to encrypt password (mirroring encrypt routine)
        int nBytes = nBits / 8;  // no bytes in key
        int[] pwBytes = new int[nBytes];
        for (int i = 0; i < nBytes; i++) {
            pwBytes[i] = Float.isNaN(password.charAt(i)) ? 0 : password.charAt(i);

        int[] key = cipher(pwBytes, keyExpansion(pwBytes));
        // expand key to 16/24/32 bytes long
        int bytesExpand = nBytes - 16;
        if(bytesExpand > 0){

            int keyOriginalLength = key.length;
            int[] expandKey = new int[bytesExpand];
            int[] endKey = new int[keyOriginalLength + bytesExpand];
            System.arraycopy(key, 0, expandKey, 0, bytesExpand);// initial expandKey
            System.arraycopy(key, 0, endKey, 0, key.length);// copy all from key to endKey
            System.arraycopy(expandKey, 0, endKey, key.length, expandKey.length);
            key = endKey;

        // recover nonce from 1st 8 bytes of ciphertext
        int[] counterBlock = new int[16];
        String ctrTxt = ciphertext.substring(0, 8);
        for (int i = 0; i < 8; i++) counterBlock[i] = ctrTxt.charAt(i);

        // generate key schedule
        int[][] keySchedule = keyExpansion(key);

        // separate ciphertext into blocks (skipping past initial 8 bytes)
        int nBlocks = (int) Math.ceil((ciphertext.length() - 8) / (float)blockSize);
        String[] cipherArr = new String[nBlocks];
        for (int b = 0; b < nBlocks; b++) {
            int start = 8 + b * blockSize;
            int end =   8 + b * blockSize + blockSize;
            if (end >= ciphertext.length())
                cipherArr[b] = UTF8Encode(ciphertext.substring(start));
                cipherArr[b] = UTF8Encode(ciphertext.substring(start, end));
        // ciphertext is now array of block-length strings,  ³F.àiþ±wãì¿,ß°d
        // plaintext will get generated block-by-block into "³F.àiþ±wãì¿,ß°" array of block-length strings
        String[] plaintxt = new String[cipherArr.length];
        // Expand CounterBlock
        for (int b = 0; b < nBlocks; b++) {
            // set counter (block #) in last 8 bytes of counter block (leaving nonce in 1st 8 bytes)
            for (int c = 0; c < 4; c++)
                counterBlock[15 - c] = (b >> c * 8) & 0xff;
            for (int c = 0; c < 4; c++)
                // counterBlock[15 - c - 4] = (b / 0x100000000 >>> c * 8);
                counterBlock[15 - c - 4] = 0;

            int[] cipherCntr = cipher(counterBlock, keySchedule);  // encrypt counter block
            char[] plaintxtByte = new char[cipherArr[b].length()];
            for (int i = 0; i < cipherArr[b].length(); i++) {

                    plaintxtByte[i] = (char) (cipherCntr[i] ^ cipherArr[b].charAt(i));

            plaintxt[b] = String.copyValueOf(plaintxtByte);

        // join array of blocks into single plaintext string
        plaintext = joinArray(plaintxt);//   plaintxt.Join('');

        // join array of blocks into single plaintext string
        plaintext = UTF8Decode(plaintext);// decode from UTF8 back to Unicode multi-byte chars

    return plaintext;

private static String joinArray(Object[] source){
    String dest = "";
    for(int i = 0; i< source.length; i++){
        dest += (String)source[i];
    return dest;

private static String UTF8Decode(String s) throws Exception {

    byte[] utf8Bytes = new byte[s.length()];
    for (int i = 0; i < s.length(); ++i)
        //Debug.Assert( 0 <= utf8String[i] && utf8String[i] <= 255, "the char must be in byte's range");
        utf8Bytes[i] = (byte)s.charAt(i);

    return new String(utf8Bytes, UTF8);

public static String base64Decoder(String data) throws Exception {

    byte[] b = Base64.decode(data.getBytes("ISO-8859-1"), Base64.NO_WRAP);
    return new String(b, "ISO-8859-1");

private static final String UTF8 = "UTF-8";

private static String UTF8Encode(String s) throws UnsupportedEncodingException {

    return new String(s.getBytes(UTF8), UTF8);

