How to encrypt with iOS CryptoKit and decrypt with C# in NetCore

Question

I would like to encrypt data in iOS app with a SymetricKey and the CryptoKit and decrypt on server side with C# in Net Core.

iOS code:

class Security {
    
    static let keyStr = "d5a423f64b607ea7c65b311d855dc48f"  //32
    static let iv="31348c0987c7"    //12
    
    class func encode(_ text:String)->String {
        let key=SymmetricKey(data: Security.keyStr.data(using: .utf8)!)
        let nonce=try! AES.GCM.Nonce(data: iv.data(using: .utf8)!)
        let encrypted=try! AES.GCM.seal(text.data(using: .utf8)!, using: key, nonce: nonce)
        

        return encrypted.combined!.base64EncodedString()
    }
    
}

I pass the result of the encryption to my backend and I would like to decrypt

C# Code:

public string decrypt(string encryptedText)
        {
            string keyStr = "d5a423f64b607ea7c65b311d855dc48f";
            string iv = "31348c0987c7";

            string plaintext = "";

        Debug.WriteLine(encryptedText);

        using (Aes aesAlg = Aes.Create())
        {

            Debug.WriteLine(AesGcm.IsSupported);

            var key = System.Text.Encoding.UTF8.GetBytes(keyStr);
            var iV = System.Text.Encoding.UTF8.GetBytes(iv);
            aesAlg.Key = key;
            aesAlg.IV = iV;

            // Create a decryptor to perform the stream transform.
            ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);

            // Create the streams used for decryption.
            using (MemoryStream msDecrypt = new MemoryStream(Convert.FromBase64String(request.pswd)))
            {
                using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
                {
                    using (StreamReader srDecrypt = new StreamReader(csDecrypt))
                    {

                        // Read the decrypted bytes from the decrypting stream
                        // and place them in a string.
                        plaintext = srDecrypt.ReadToEnd();
                    }
                }
            }
        }

        Debug.WriteLine(plaintext);

    }

So for example word: Test gets encrypted as: MzEzNDhjMDk4N2M3CI68IDEJeBR4OFtWO3GPO3TIgos=

When I get to line:

aesAlg.IV = iV;

I get an error "Specified initialization vector (IV) does not match the block size for this algorithm." It seems as if C# needs byte[16], but in iOS I seem to be stuck with 12.

I got stuck at this point. Any idea greately appreciated. Thank you.

Answer 1

The posted Swift code applies AES in GCM mode, s. AES.GCM . The posted C# code also uses AES, however not the GCM mode, but the default CBC mode (s. Aes , Mode ).
The CBC mode applies a 16 bytes IV, while the GCM mode uses a 12 bytes nonce. That is what the error message is pointing to.
For successful decryption, AES in GCM mode must also be used on the C# side. In .NET AES in GCM mode is supported with the AesGcm class (as of .NET Core 3.0).

Note also that the data given by the Swift code is the Base64 encoding of the concatenation of 12 bytes nonce, ciphertext and 16 bytes tag (in that order), which must be separated in the C# code, where the portions are processed individually.

A possible C# implementation that decrypts the ciphertext generated by the posted Swift code is:

byte[] nonceCiphertextTag = Convert.FromBase64String("MzEzNDhjMDk4N2M3CI68IDEJeBR4OFtWO3GPO3TIgos=");
byte[] key = Encoding.UTF8.GetBytes("d5a423f64b607ea7c65b311d855dc48f");

Span<byte> nonceCiphertextTagSpan = nonceCiphertextTag.AsSpan();
Span<byte> nonce = nonceCiphertextTagSpan[..12];
Span<byte> ciphertext = nonceCiphertextTagSpan[12..^16];
Span<byte> tag = nonceCiphertextTagSpan[^16..];
byte[] plaintext = new byte[ciphertext.Length];

using AesGcm aesGcm = new AesGcm(key);
aesGcm.Decrypt(nonce, ciphertext, tag, plaintext); // throws an 'CryptographicException: The computed authentication tag did not match the input authentication tag' if authentication fails

Console.WriteLine(Encoding.UTF8.GetString(plaintext)); // Test

---

Edit : An alternative to the native .NET class AesGcm is C#/BouncyCastle. Maybe this is supported in your environment:

using Org.BouncyCastle.Crypto.Engines;
using Org.BouncyCastle.Crypto.Modes;
using Org.BouncyCastle.Crypto.Parameters;
...
byte[] nonceCiphertextTag = Convert.FromBase64String("MzEzNDhjMDk4N2M3CI68IDEJeBR4OFtWO3GPO3TIgos=");
byte[] key = Encoding.UTF8.GetBytes("d5a423f64b607ea7c65b311d855dc48f");

Span<byte> nonceCiphertextTagSpan = nonceCiphertextTag.AsSpan();
byte[] nonce = nonceCiphertextTagSpan[..12].ToArray();
byte[] ciphertextTag = nonceCiphertextTagSpan[12..].ToArray();

GcmBlockCipher gcmBlockCipher = new GcmBlockCipher(new AesEngine());
AeadParameters aeadParameters = new AeadParameters(new KeyParameter(key), 128, nonce);
gcmBlockCipher.Init(false, aeadParameters);
byte[] plaintext = new byte[gcmBlockCipher.GetOutputSize(ciphertextTag.Length)];
int length = gcmBlockCipher.ProcessBytes(ciphertextTag, 0, ciphertextTag.Length, plaintext, 0);
gcmBlockCipher.DoFinal(plaintext, length); // throws an 'InvalidCipherTextException: mac check in GCM failed' if authentication fails

Console.WriteLine(Encoding.UTF8.GetString(plaintext)); // Test

Note that unlike the native AesGcm class, C#/BouncyCastle requires the concatenation of ciphertext and tag, so only the nonce needs to be separated.