All geek questions in one place

AES Encryption in CryptoJS and Decryption in Coldfusion

We have a Silent Login service, written in Coldfusion9, which accepts encrypted strings from external systems and then decrypts them based on a consistent algorithm / encoding setting. It has been working without problems for many years from systems running ASP / JAVA / PHP, but now we have a client that has no choice but to use CryptoJS to perform encryption and for the life of me, I can’t understand why this will not decrypt in Coldfusion.

My knowledge of encryption is not brilliant, but I notice that the encrypted CryptoJS encrypted text for the same string / key is different every time I perform encryption, whereas in Coldfusion / Java I can always expect the exact same encrypted string, I'm not sure whether this is due to the encoding or not, but I never encountered this problem while accepting previously encrypted strings from any other system, so I hope this is the way I am mistaken in CryptoJS encryption.

<cfoutput> <!--- Set String and Key ---> <cfset theKey = toBase64("1234567812345678")> <cfset string = " max.brenner@google.com.au "> <!--- CryptoJS AES Libraries ---> <script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/aes.js"></script> <script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/components/enc-base64-min.js"></script> <script> // Encrypt String using CryptoJS AES var encrypted = CryptoJS.AES.encrypt("#string#", "#theKey#"); console.log(encrypted.toString()); // Decrypt String using CryptoJS AES var decrypted = CryptoJS.AES.decrypt(encrypted, "#theKey#"); console.log(decrypted.toString(CryptoJS.enc.Utf8)); </script> <!--- Coldfusion Decrypt String / FAILS ---> Decrypted: #decrypt(encryptedEmail, "#theKey#", "AES", "BASE64")# </cfoutput>
+6
source share
1 answer

There seem to be two problems:

  • CryptoJS does not use your variable as key . As @ Miguel-F mentioned, when you pass a string, "it is treated as a key phrase and used to get [the actual key and IV . " Both are randomly generated, so your encrypted result keeps changing. But more importantly, this means that CryptoJS uses a completely different key than the one in your CF code, which is why decrypt () fails. (At least that's part of the reason ...)

  • The second problem is that in addition to the "AES" algorithm, there are two more encryption parameters that must correspond: mode and the complementary scheme . Although CryptoJS and ColdFusion use the same default values ​​for the padding scheme, the β€œmodes” are different:

You need to make sure that all three settings are the same on both sides. Try using CBC mode in CF, as it is safer in any case than ECB. Note: this requires adding an IV value.

CF Code:

 <!--- this is the base64 encrypted value from CryptoJS ---> <cfset encrypted = "J2f66oiDpZkFlQu26BDKL6ZwgNwN7T3ixst4JtMyNIY="> <cfset rawString = " max.brenner@google.com.au "> <cfset base64Key = "MTIzNDU2NzgxMjM0NTY3OA=="> <cfset base64IV = "EBESExQVFhcYGRobHB0eHw=="> <cfset ivBytes = binaryDecode(base64IV, "base64")> <cfoutput> #decrypt(encrypted, base64Key, "AES/CBC/PKCS5Padding", "base64", ivBytes)# </cfoutput>

CryptoJS: (adjusted source example)

 <script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/aes.js"></script> <script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/components/enc-base64-min.js"></script> <script> var text = "#rawString#"; var key = CryptoJS.enc.Base64.parse("#base64Key#"); var iv = CryptoJS.enc.Base64.parse("#base64IV#"); var encrypted = CryptoJS.AES.encrypt(text, key, {iv: iv}); console.log(encrypted.toString()); var decrypted = CryptoJS.AES.decrypt(encrypted, key, {iv: iv}); console.log(decrypted.toString(CryptoJS.enc.Utf8)); </script>


Edit:

All that said, what do you mean by the client, "has no choice but to use CryptoJS to perform encryption"? Why can't they use server-side encryption? I am not an expert on encryption, but I perform encryption in javascript, and exposing the key on the client does not sound impeccable to start with ...

+11
source

Source: https://habr.com/ru/post/945216/

More articles:


All Articles