wood burning stoves*
The moose likes Security and the fly likes TripleDES Encryption using CryptoJS in client side and decryption using java DESede on server side Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "TripleDES Encryption using CryptoJS in client side and decryption using java DESede on server side " Watch "TripleDES Encryption using CryptoJS in client side and decryption using java DESede on server side " New topic
Author

TripleDES Encryption using CryptoJS in client side and decryption using java DESede on server side

sandy sgp
Greenhorn

Joined: Apr 09, 2014
Posts: 7
I am trying to encrypt data using javascript and decrypt on server side Java code using TripleDES or DESede. I am able to encrypt, but I am not able to decrypt it at server side. Can anyone help me resolving this issue. Following is the code for encryption in JS:

var loginId = "xyzabc";
var key = 'ThisIsSecretEncryptionKey';
var encloginId = CryptoJS.TripleDES.encrypt(loginId, key);

Encryption works fine in JS file.

Now I have to decrypt on server side using Java code. Below is the code for decryption:

public static String KEY_STRING =''ThisIsSecretEncryptionKey";
public DESedeEncryption() throws Exception
{
myEncryptionScheme = DESEDE_ENCRYPTION_SCHEME;
keyAsBytes = KEY_STRING.getBytes(UNICODE_FORMAT);


myKeySpec = new DESedeKeySpec(keyAsBytes);
mySecretKeyFactory = SecretKeyFactory.getInstance(myEncryptionScheme);
cipher = Cipher.getInstance(myEncryptionScheme);

key = mySecretKeyFactory.generateSecret(myKeySpec);
}

public String encrypt(String unencryptedString) {
String encryptedString = null;
System.out.println("Encrypt method call="+unencryptedString);
try {
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] plainText = unencryptedString.getBytes(UNICODE_FORMAT);
byte[] encryptedText = cipher.doFinal(plainText);
BASE64Encoder base64encoder = new BASE64Encoder();
encryptedString = base64encoder.encode(encryptedText);
} catch (Exception e) {
e.printStackTrace();
}
return encryptedString;
}

I tried generating key using salt and IvParameterSpec and tried with HexBinary too. But nothing work.

I am getting exception as: javax.crypto.BadPaddingException: Given final block not properly padded.

Please help in resolving this issue or any other way to do it.

Thanks in advance.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

You show your Java encryption method but not the problematic decryption method! Any reason?

I don't have access to CryptoJS so can you provide the ciphertext that your example produces.


P.S Why are you using Javascript encryption rather than HTTPS and why are you using a deprecated encryption algorithm?
sandy sgp
Greenhorn

Joined: Apr 09, 2014
Posts: 7

plainText = "Testing_login"
encrypted-data = U2FsdGVkX19fiYSC7ZH20KhUAGhFFDVj2iJICZsyAJU=
key = "ThisIsSecretEncryptionKey"

I am not using encryption code of Java. If you need to refer I will mention it below.

This is client requirement. They want to encrypt every input data of a form on client side without interacting server side. Encrypted data has to decrypt on
server side, i.e., at business layer. I ask them about HTTPS, they are not agree. Anyway I need to do in this way now. If any other will be appreciated.

If I do encryption and decryption using Java code. It works fine. If I do both encryption and decryption with Crypto-JS code, It works fine.

But If I do encryption with JS and decryption with Java, then I get exception. Please refer this link-https://code.google.com/p/crypto-js/ for CryptoJs lib.

Any suggestion or solution will be appreciated. Thanks.

JS encryption and decryption
<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/tripledes.js"></script>
<script>
var encrypted = CryptoJS.DES.encrypt(plainText , "ThisIsSecretEncryptionKey");

var decrypted = CryptoJS.DES.decrypt(encrypted, "ThisIsSecretEncryptionKey");
</script>

Java encryption code:

public String encrypt(String unencryptedString) {
String encryptedString = null;
System.out.println("Encrypt method call="+unencryptedString);
try {
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] plainText = unencryptedString.getBytes(UNICODE_FORMAT);
byte[] encryptedText = cipher.doFinal(plainText);
BASE64Encoder base64encoder = new BASE64Encoder();
encryptedString = base64encoder.encode(encryptedText);
} catch (Exception e) {
e.printStackTrace();
}
return encryptedString;
}
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
I second the idea of using SSL for encryption instead of JavaScript. You should have your client read http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/.


Ping & DNS - my free Android networking tools app
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

I don't know why you again show the encryption code and not the decryption code and there is a load of relevant code missing (for example the construction of the Cipher object).

A Quick look at the ciphertext produced by the Javascript indicates that it is probably Base64 encoded but I don't see you decoding it. A quick look at the CryptoJS documentation indicates that the default block mode is CBC and since you don't provide an IV I have to assume that you have initialised the cipher in ECB block mode. A quick look at the ciphertext produced by the Javascript indicates that the IV bytes are probably the first 8 bytes of the Base64 decoded ciphertext and are randomly selected since they change every time I run a simple example. A quick look at the key conversion indicates that the key bytes are not trivially created from the key string as you have assumed. You will need to go through the CryptoJS javascript source code to see exactly how they they are generated.



I really don't understand why you are using symmetric encryption in the client since the key being used is visible to anyone which of course means that there is absolutely no security. That is why public key encryption is used and, for this sort of application, it means HTTPS ! I really don't understand why you are using DESede since it is deprecated in favour of AES. Your client needs educating since you are creating a very very insecure system for him.

sandy sgp
Greenhorn

Joined: Apr 09, 2014
Posts: 7
Miss to post decrypt method of java:

public String decrypt(String encryptedString) {
String decryptedText=null;
try {
cipher.init(Cipher.DECRYPT_MODE, key);
BASE64Decoder base64decoder = new BASE64Decoder();
byte[] encryptedText = base64decoder.decodeBuffer(encryptedString);
byte[] plainText = cipher.doFinal(encryptedText);
decryptedText= bytes2String(plainText);
} catch (Exception e) {
e.printStackTrace();
}
return decryptedText;
}
sandy sgp
Greenhorn

Joined: Apr 09, 2014
Posts: 7
Thanks Richard for your concern. I joined this project 3 days back. Same thing I already discussed with them. I told them about symmetric key.
I told them to prefer AES at least .

I done with base64 encoding and all. I tried IV with 8 bytes, It's also not working. I tried every possible way. But didn't get any solution.

I had solution for AES but not for TripleDES. :-|
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

sandy sgp wrote:
I had solution for AES but not for TripleDES. :-|


Your decrypt code cannot possibly work since it does not use CBC and since the code for DESede should be pretty much identical to that of the AES code (the Javascript uses a common base class for all the symmetric with the derived classes just providing the basic algorithm) I'm sceptical that your AES code ever worked.

Even though I probably could I am not willing to take this any further since I can't condone you deliberately creating an insecure system.

Bye


P.S. I just noticed one glaring error!
sandy sgp
Greenhorn

Joined: Apr 09, 2014
Posts: 7
Thanks Richard for your reply and suggestion.

I used CBC also, but I was getting same exception.

I know It will be an insecure site, but I am looking for a solution for my knowledge.

for Client I had already given them solution. Since encryption and decryption with JS will work, So I worked in same way.

I do encryption on client side using JS and at server side also I executed decryption with JS code using ScriptEngineManager .
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("JavaScript");
------ and so on.

It's working fine.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
I know It will be an insecure site

As a professional, you should not be content with that.
sandy sgp
Greenhorn

Joined: Apr 09, 2014
Posts: 7

Thanks for your comment and suggestion.

I discussed with them again and they accepted for AES implementation. AES is working fine with encryption in JS and and decryption on java.
Thanks Richard for your suggestion.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

sandy sgp wrote:
I discussed with them again and they accepted for AES implementation.


You seem to have missed the point Sandy. Whether one uses AES, DES, Triple DES, Blowfish or any other symmetric encryption in this way it is totally insecure. It is so insecure that you may as well not have done the encryption.

If you let this scheme go though it will be professional negligence at best and, since you have been warned, you are opening yourself up civil and possibly criminal proceedings when someone breaks into the site. You cannot allow this scheme to go through. I repeat - You cannot allow this scheme to go through.
sandy sgp
Greenhorn

Joined: Apr 09, 2014
Posts: 7
I got your point. In AES we will read key from a file or key will get generated using pass-phrase and salt and It will not get store on client side. Above post was from demo application. I know better is to use RSA or had to go for HTTPS.

I discussed for HTTPS implementation too, they are planning to do it by next year. For now they want to do this implementation.

Thanks.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

sandy sgp wrote:
I discussed for HTTPS implementation too, they are planning to do it by next year.

I really don't understand this. It will take far far far less effort to set up an HTTPS system than it will take to setup the proposed very insecure system.
For now they want to do this implementation.

Criminal !
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: TripleDES Encryption using CryptoJS in client side and decryption using java DESede on server side
 
Similar Threads
How to encrypt & decrypt Random DES key with DES?
javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8
Sorry about spamming the board with questions! But here another question about PBE encryption
Unable to decrypt the encrypted message
3des with 2 different keys in java getting null