• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

TripleDES Encryption using CryptoJS in client side and decryption using java DESede on server side

 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am trying to encrypt data using javascript and decrypt on server side Java code using TripleDES or DESede. I am able to encrypt, but I am not able to decrypt it at server side. Can anyone help me resolving this issue. Following is the code for encryption in JS:

var loginId = "xyzabc";
var key = 'ThisIsSecretEncryptionKey';
var encloginId = CryptoJS.TripleDES.encrypt(loginId, key);

Encryption works fine in JS file.

Now I have to decrypt on server side using Java code. Below is the code for decryption:

public static String KEY_STRING =''ThisIsSecretEncryptionKey";
public DESedeEncryption() throws Exception
{
myEncryptionScheme = DESEDE_ENCRYPTION_SCHEME;
keyAsBytes = KEY_STRING.getBytes(UNICODE_FORMAT);


myKeySpec = new DESedeKeySpec(keyAsBytes);
mySecretKeyFactory = SecretKeyFactory.getInstance(myEncryptionScheme);
cipher = Cipher.getInstance(myEncryptionScheme);

key = mySecretKeyFactory.generateSecret(myKeySpec);
}

public String encrypt(String unencryptedString) {
String encryptedString = null;
System.out.println("Encrypt method call="+unencryptedString);
try {
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] plainText = unencryptedString.getBytes(UNICODE_FORMAT);
byte[] encryptedText = cipher.doFinal(plainText);
BASE64Encoder base64encoder = new BASE64Encoder();
encryptedString = base64encoder.encode(encryptedText);
} catch (Exception e) {
e.printStackTrace();
}
return encryptedString;
}

I tried generating key using salt and IvParameterSpec and tried with HexBinary too. But nothing work.

I am getting exception as: javax.crypto.BadPaddingException: Given final block not properly padded.

Please help in resolving this issue or any other way to do it.

Thanks in advance.
 
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You show your Java encryption method but not the problematic decryption method! Any reason?

I don't have access to CryptoJS so can you provide the ciphertext that your example produces.


P.S Why are you using Javascript encryption rather than HTTPS and why are you using a deprecated encryption algorithm?
 
sandy sgp
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

plainText = "Testing_login"
encrypted-data = U2FsdGVkX19fiYSC7ZH20KhUAGhFFDVj2iJICZsyAJU=
key = "ThisIsSecretEncryptionKey"

I am not using encryption code of Java. If you need to refer I will mention it below.

This is client requirement. They want to encrypt every input data of a form on client side without interacting server side. Encrypted data has to decrypt on
server side, i.e., at business layer. I ask them about HTTPS, they are not agree. Anyway I need to do in this way now. If any other will be appreciated.

If I do encryption and decryption using Java code. It works fine. If I do both encryption and decryption with Crypto-JS code, It works fine.

But If I do encryption with JS and decryption with Java, then I get exception. Please refer this link-https://code.google.com/p/crypto-js/ for CryptoJs lib.

Any suggestion or solution will be appreciated. Thanks.

JS encryption and decryption
<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/tripledes.js"></script>
<script>
var encrypted = CryptoJS.DES.encrypt(plainText , "ThisIsSecretEncryptionKey");

var decrypted = CryptoJS.DES.decrypt(encrypted, "ThisIsSecretEncryptionKey");
</script>

Java encryption code:

public String encrypt(String unencryptedString) {
String encryptedString = null;
System.out.println("Encrypt method call="+unencryptedString);
try {
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] plainText = unencryptedString.getBytes(UNICODE_FORMAT);
byte[] encryptedText = cipher.doFinal(plainText);
BASE64Encoder base64encoder = new BASE64Encoder();
encryptedString = base64encoder.encode(encryptedText);
} catch (Exception e) {
e.printStackTrace();
}
return encryptedString;
}
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I second the idea of using SSL for encryption instead of JavaScript. You should have your client read http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/.
 
Richard Tookey
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't know why you again show the encryption code and not the decryption code and there is a load of relevant code missing (for example the construction of the Cipher object).

A Quick look at the ciphertext produced by the Javascript indicates that it is probably Base64 encoded but I don't see you decoding it. A quick look at the CryptoJS documentation indicates that the default block mode is CBC and since you don't provide an IV I have to assume that you have initialised the cipher in ECB block mode. A quick look at the ciphertext produced by the Javascript indicates that the IV bytes are probably the first 8 bytes of the Base64 decoded ciphertext and are randomly selected since they change every time I run a simple example. A quick look at the key conversion indicates that the key bytes are not trivially created from the key string as you have assumed. You will need to go through the CryptoJS javascript source code to see exactly how they they are generated.



I really don't understand why you are using symmetric encryption in the client since the key being used is visible to anyone which of course means that there is absolutely no security. That is why public key encryption is used and, for this sort of application, it means HTTPS ! I really don't understand why you are using DESede since it is deprecated in favour of AES. Your client needs educating since you are creating a very very insecure system for him.

 
sandy sgp
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Miss to post decrypt method of java:

public String decrypt(String encryptedString) {
String decryptedText=null;
try {
cipher.init(Cipher.DECRYPT_MODE, key);
BASE64Decoder base64decoder = new BASE64Decoder();
byte[] encryptedText = base64decoder.decodeBuffer(encryptedString);
byte[] plainText = cipher.doFinal(encryptedText);
decryptedText= bytes2String(plainText);
} catch (Exception e) {
e.printStackTrace();
}
return decryptedText;
}
 
sandy sgp
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Richard for your concern. I joined this project 3 days back. Same thing I already discussed with them. I told them about symmetric key.
I told them to prefer AES at least .

I done with base64 encoding and all. I tried IV with 8 bytes, It's also not working. I tried every possible way. But didn't get any solution.

I had solution for AES but not for TripleDES. :-|
 
Richard Tookey
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

sandy sgp wrote:
I had solution for AES but not for TripleDES. :-|



Your decrypt code cannot possibly work since it does not use CBC and since the code for DESede should be pretty much identical to that of the AES code (the Javascript uses a common base class for all the symmetric with the derived classes just providing the basic algorithm) I'm sceptical that your AES code ever worked.

Even though I probably could I am not willing to take this any further since I can't condone you deliberately creating an insecure system.

Bye


P.S. I just noticed one glaring error!
 
sandy sgp
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Richard for your reply and suggestion.

I used CBC also, but I was getting same exception.

I know It will be an insecure site, but I am looking for a solution for my knowledge.

for Client I had already given them solution. Since encryption and decryption with JS will work, So I worked in same way.

I do encryption on client side using JS and at server side also I executed decryption with JS code using ScriptEngineManager .
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("JavaScript");
------ and so on.

It's working fine.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I know It will be an insecure site


As a professional, you should not be content with that.
 
sandy sgp
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Thanks for your comment and suggestion.

I discussed with them again and they accepted for AES implementation. AES is working fine with encryption in JS and and decryption on java.
Thanks Richard for your suggestion.
 
Richard Tookey
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

sandy sgp wrote:
I discussed with them again and they accepted for AES implementation.



You seem to have missed the point Sandy. Whether one uses AES, DES, Triple DES, Blowfish or any other symmetric encryption in this way it is totally insecure. It is so insecure that you may as well not have done the encryption.

If you let this scheme go though it will be professional negligence at best and, since you have been warned, you are opening yourself up civil and possibly criminal proceedings when someone breaks into the site. You cannot allow this scheme to go through. I repeat - You cannot allow this scheme to go through.
 
sandy sgp
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I got your point. In AES we will read key from a file or key will get generated using pass-phrase and salt and It will not get store on client side. Above post was from demo application. I know better is to use RSA or had to go for HTTPS.

I discussed for HTTPS implementation too, they are planning to do it by next year. For now they want to do this implementation.

Thanks.
 
Richard Tookey
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

sandy sgp wrote:
I discussed for HTTPS implementation too, they are planning to do it by next year.


I really don't understand this. It will take far far far less effort to set up an HTTPS system than it will take to setup the proposed very insecure system.

For now they want to do this implementation.


Criminal !
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
@sandy sgp How did you find the solution for AES with CBC mode?? I am struggling with it since last three days, please provide the solution.
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can i have a complete code of how you decrypt Triple DES with javascript at java side?
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic