IBM Support

How to troubleshoot and debug the javax.crypto.AEADBadTagException

Troubleshooting


Problem

The AEADBadTagException is thrown when the cryptographic integrity check on the data fails during decryption. This is commonly seen with AEAD block ciphers like AES in GCM mode. (Example cipher SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
 SystemErr                                                    R javax.crypto.AEADBadTagException
 SystemErr                                                    R     at com.ibm.crypto.provider.GCTRInHardware.gcm_ad(Unknown Source)
 SystemErr                                                    R     at com.ibm.crypto.provider.aI.c(Unknown Source)
 SystemErr                                                    R     at com.ibm.crypto.provider.AESGCMCipher.engineDoFinal(Unknown Source)
 SystemErr                                                    R     at javax.crypto.Cipher.doFinal(Unknown Source)
 SystemErr                                                    R     at com.ibm.jsse2.n.a(n.java:279)
 SystemErr                                                    R     at com.ibm.jsse2.b.a(b.java:12)
 SystemErr                                                    R     at com.ibm.jsse2.av.a(av.java:346)
 SystemErr                                                    R     at com.ibm.jsse2.av.i(av.java:282)

Symptom

Sysmptom for this error causes:
    a) Data Corruption: Occurs if the ciphertext or associated data is modified or corrupted.
    b) Key Mismatch: Using a different key for decryption than was used for encryption.
    c) Nonce/IV Reuse: Reusing the nonce or initialization vector for multiple encryptions with the same key.
    d) Incorrect Tag Handling: The authentication tag is either incorrect or improperly handled.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdL6AAK","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity-\u003ESSL-\u003ESSL - SDK-JAVA"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
03 March 2025

UID

ibm17080017

Page Feedback