• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Junilu Lacar
  • Liutauras Vilda
Sheriffs:
  • Paul Clapham
  • Jeanne Boyarsky
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Piet Souris
  • Carey Brown
Bartenders:
  • Jesse Duncan
  • Frits Walraven
  • Mikalai Zaikin

Java encryption -> javascript decryption

 
Ranch Hand
Posts: 75
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm trying to use tripleDES on a string in Java and decrypt it on javascript using crypto-js (I know there is a similar question but it's the other way around and cannot see the solution there)

As you may see the key is the 24 bytes 123.... (not final value of course)

java code



and in Javascript



Any minimal lead that tells me what i'm doing wrong (surely in javascript)
 
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This step is wrong:

new String(..., "utf-8")


Encrypted data is binary data, you can't treat it as if it were text. If you need to transfer it as a string, use base-64 to convert it to ASCII.
 
Alex Armenteros
Ranch Hand
Posts: 75
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Already done that, but "javascript dec.toString" returns nothing.

Changed the last java line to:

 
Ulf Dittmer
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So in the JavaScript, "texto" has the correct, base-64 encoded value, but "dec" is assigned the empty string?

BTW, I don't know what "decrypt" returns, but assuming that it's the cleartext as a string, the "toString" should be unnecessary. (But then, -considering doing cryptography in JavaScript not such a good idea- I have no idea how that library works.)
 
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Using Javascript with symmetric encryption always seems silly to me but what the heck. You need to look a the CryptoJC source to see exactly what it does because

uses block mode ECB with PKCS5 padding.

You should note that if you are using ECB then your code is not very secure since ECB allows forgery of ciphertext by splicing.
 
author
Posts: 23923
142
jQuery Eclipse IDE Firefox Browser VI Editor C++ Chrome Java Linux Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Richard Tookey wrote:Using Javascript with symmetric encryption always seems silly to me but what the heck. You need to look a the CryptoJC source to see exactly what it does because

uses block mode ECB with PKCS5 padding.

You should note that if you are using ECB then your code is not very secure since ECB allows forgery of ciphertext by splicing.



Also, Java's version of triple DES does encrypt, decrypt, and encrypt (EDE), with three different DES keys. Interestingly, this is not the most common mode. I believe the most common is EDE with two DES keys.

So... you need to ensure that these match too -- in addition to what Richard and Ulf stated.

Henry
 
Alex Armenteros
Ranch Hand
Posts: 75
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It seems cryptoJS uses CBC and Pkcs7 as defaults, going to see if i can change it and I inform all of you.
 
Richard Tookey
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Alex Armenteros wrote:It seems cryptoJS uses CBC and Pkcs7 as defaults, going to see if i can change it and I inform all of you.



Note - PKCS7 when used like this is the same as PKCS5 and yhy would you want to change from secure CBC mode to insecure ECB mode. Change your Java code to use CBC. You will still need to look at the Javascipt source to see how the CBC IV is specified and then match this in your Java.
 
Alex Armenteros
Ranch Hand
Posts: 75
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
After some tries with lots of changes, and still without results

I configured the cipher in a MUCH simpler way like this... (I'm not aiming for security right now, I'm aiming for functionality)





and in JS


Tried decrypting in java and no problem.

Tried decrypting in JS and nothing on the output.

I'll try other places to look for an answer as it seems a problem with cryptoJS library. Thanks for your answers

PS: Used an online tool (dunno if links are allowed in this forum) to test the ciphertext (now I'm using Hex text, instead of base64) and the key and it decrypts perfectly (except the final padding ofc)

PS2: Finally i got it to work... And my final conclusion is that the documentation in crypto-js website is not useful. In decrypt function the ciphertext must be passed like this. "CryptoJS.lib.CipherParams.create({ciphertext: CryptoJS.enc.Hex.parse(texto)})" [Using Hex ciphertext]
 
Richard Tookey
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The basic problem with the Javascript is that the key one specifies is not a simple AES key. It is in some way derived from the key string by some algorithm that must be specified somewhere but I don't know where! Running the AES example on their website of

and taking the values for the key, IV and ciphertext from the alerts I can decrypt using


Since one gets a different key each time one runs the Javascript there is obviously some random salt and you will need to duplicate the key generation algorithm in your Java code. I will leave you the task of working out the algorithm but I would guess that the algorithm is one of the standard PBE algorithms but which one?

Note the Base64 encode 'encrypted' must contain the salt and IV or one could not decrypt and it should be easy to deduce the format.

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Java Encryption:


Java Script Decryption:

include- rollups/aes.js, components/mode-ecb-min.js



Working Fine for Me.
 
Yugandhar Gangu
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In case of Triple DES:

Java Code:



Java Script:

include- rollups/tripledes.js, components/mode-ecb-min.js

 
Saloon Keeper
Posts: 14018
316
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Do NOT use that code verbatim. There are a couple of big issues:

  • Passwords and plain texts handled as Strings.
  • Key material derived directly from raw password bytes. NEVER DO THIS. Use a password based key derivation factory, such as PBKDF2 or bcrypt.
  • Raw password is being sent to client. BIG NO NO.


  • Also, you shouldn't perform encryption without authentication, but I'm not sure if JavaScript has a library that supports AEAD.
     
    Don't get me started about those stupid light bulbs.
    reply
      Bookmark Topic Watch Topic
    • New Topic