var loginId = "xyzabc";
var key = 'ThisIsSecretEncryptionKey';
var encloginId = CryptoJS.TripleDES.encrypt(loginId, key);
Encryption works fine in JS file.
Now I have to decrypt on server side using Java code. Below is the code for decryption:
public static String KEY_STRING =''ThisIsSecretEncryptionKey";
public DESedeEncryption() throws Exception
myEncryptionScheme = DESEDE_ENCRYPTION_SCHEME;
keyAsBytes = KEY_STRING.getBytes(UNICODE_FORMAT);
myKeySpec = new DESedeKeySpec(keyAsBytes);
mySecretKeyFactory = SecretKeyFactory.getInstance(myEncryptionScheme);
cipher = Cipher.getInstance(myEncryptionScheme);
I am not using encryption code of Java. If you need to refer I will mention it below.
This is client requirement. They want to encrypt every input data of a form on client side without interacting server side. Encrypted data has to decrypt on
server side, i.e., at business layer. I ask them about HTTPS, they are not agree. Anyway I need to do in this way now. If any other will be appreciated.
If I do encryption and decryption using Java code. It works fine. If I do both encryption and decryption with Crypto-JS code, It works fine.
But If I do encryption with JS and decryption with Java, then I get exception. Please refer this link-https://code.google.com/p/crypto-js/ for CryptoJs lib.
Any suggestion or solution will be appreciated. Thanks.
JS encryption and decryption
var encrypted = CryptoJS.DES.encrypt(plainText , "ThisIsSecretEncryptionKey");
var decrypted = CryptoJS.DES.decrypt(encrypted, "ThisIsSecretEncryptionKey");
I don't know why you again show the encryption code and not the decryption code and there is a load of relevant code missing (for example the construction of the Cipher object).
I really don't understand why you are using symmetric encryption in the client since the key being used is visible to anyone which of course means that there is absolutely no security. That is why public key encryption is used and, for this sort of application, it means HTTPS ! I really don't understand why you are using DESede since it is deprecated in favour of AES. Your client needs educating since you are creating a very very insecure system for him.
sandy sgp wrote:
I had solution for AES but not for TripleDES. :-|
Even though I probably could I am not willing to take this any further since I can't condone you deliberately creating an insecure system.
P.S. I just noticed one glaring error!
Joined: Apr 09, 2014
Thanks Richard for your reply and suggestion.
I used CBC also, but I was getting same exception.
I know It will be an insecure site, but I am looking for a solution for my knowledge.
for Client I had already given them solution. Since encryption and decryption with JS will work, So I worked in same way.
sandy sgp wrote:
I discussed with them again and they accepted for AES implementation.
You seem to have missed the point Sandy. Whether one uses AES, DES, Triple DES, Blowfish or any other symmetric encryption in this way it is totally insecure. It is so insecure that you may as well not have done the encryption.
If you let this scheme go though it will be professional negligence at best and, since you have been warned, you are opening yourself up civil and possibly criminal proceedings when someone breaks into the site. You cannot allow this scheme to go through. I repeat - You cannot allow this scheme to go through.
Joined: Apr 09, 2014
I got your point. In AES we will read key from a file or key will get generated using pass-phrase and salt and It will not get store on client side. Above post was from demo application. I know better is to use RSA or had to go for HTTPS.
I discussed for HTTPS implementation too, they are planning to do it by next year. For now they want to do this implementation.