120

Is there a library available for AES 256-bits encryption in Javascript?

Cheeso
  • 189,189
  • 101
  • 473
  • 713
coder
  • 2,239
  • 5
  • 22
  • 20
  • 1
    Here is what you need for AES encryption using crypto-js – Hari Das Jun 12 '17 at 07:02
  • There is also the Stanford Javascript Crypto Library (SJCL): https://crypto.stanford.edu/sjcl/ – JonathanDavidArndt Nov 02 '20 at 03:24
  • https://stackoverflow.com/questions/18279141/javascript-string-encryption-and-decryption – T.Todua Apr 18 '21 at 13:43
  • https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt – mti2935 Aug 24 '21 at 23:24

14 Answers14

71

JSAES is a powerful implementation of AES in JavaScript. http://point-at-infinity.org/jsaes/

rationalboss
  • 5,330
  • 3
  • 30
  • 50
backslash17
  • 5,300
  • 4
  • 31
  • 46
  • 38
    JSAES is licensed under GNU GPL - therefore it is not usable for some projects. – Robert Apr 13 '11 at 07:57
  • How can I specify a 'mode of operation' and IV? Doesn't look like it's an option. – Oliver Pearmain Oct 24 '11 at 09:39
  • 12
    This is now quite useful and feature rich http://code.google.com/p/crypto-js/ – David Kierans Apr 25 '12 at 04:21
  • 2
    @HappyDeveloper Well, no. Don't blame the license for this. The author has chosen the wrong license, as GPL is not suitable for libraries. – inta Jun 25 '13 at 09:13
  • You can use: https://github.com/digitalbazaar/forge under a BSD license. – dlongley Aug 21 '13 at 14:43
  • 1
    What's wrong with GPL license? It is still free to use. – shasi kanth Feb 04 '14 at 10:47
  • 4
    It's "free of cost to use", but you can't use it if you want to release your resulting product under something other than the GPL. – Curtis Mar 07 '14 at 20:31
  • If you argue the library to be sufficiently disconnected you can use it. Not sure how the courts feel about that (anyone have a source?) – Lodewijk Sep 26 '14 at 02:32
  • 5
    **JSAES** is a good starting point but it can be used only to encrypt 16 bytes of data. If you want to encrypt bigger block of data you have to extend it yourself to implement intialization vector, encrypt mode (CBC or other...), padding. – Paolo Dec 02 '15 at 16:39
  • Source Code: http://point-at-infinity.org/jsaes/jsaes.js < 200 lines. Exactly what I was looking for. – Seph Reed Aug 02 '16 at 21:06
  • ```The code is well documented and the API trivial. ``` - I want to send a sensitive data to a friend over email. We've already established a shared secret *(offline, handwritten)* - why usability of crypto is so 1994? – Mars Robertson Jan 13 '18 at 04:16
  • @MarsRobertson When I first saw that line, I laughed so hard. This is what every programmer thinks of their own work. But I did actually try it, and the API was indeed trivial. Maybe a little too trivial for something like AES. Before serious use, JSAES ought to be extended to use IV, etc. – JonathanDavidArndt Nov 01 '20 at 02:14
38

Here's a demonstration page that uses slowAES.

slowAES was easy to use. Logically designed. Reasonable OO packaging. Supports knobs and levers like IV and Encryption mode. Good compatibility with .NET/C#. The name is tongue-in-cheek; it's called "slow AES" because it's not implemented in C++. But in my tests it was not impractically slow.

It lacks an ECB mode. Also lacks a CTR mode, although you could build one pretty easily given an ECB mode, I guess.

It is solely focused on encryption. A nice complementary class that does RFC2898-compliant password-based key derivation, in Javascript, is available from Anandam. This pair of libraries works well with the analogous .NET classes. Good interop. Though, in contrast to SlowAES, the Javascript PBKDF2 is noticeably slower than the Rfc2898DeriveBytes class when generating keys.

It's not surprising that technically there is good interop, but the key point for me was the model adopted by SlowAES is familiar and easy to use. I found some of the other Javascript libraries for AES to be hard to understand and use. For example, in some of them I couldn't find the place to set the IV, or the mode (CBC, ECB, etc). Things were not where I expected them to be. SlowAES was not like that. The properties were right where I expected them to be. It was easy for me to pick up, having been familiar with the Java and .NET crypto programming models.

Anandam's PBKDF2 was not quite on that level. It supported only a single call to DeriveBytes function, so if you need to derive both a key and an IV from a password, this library won't work, unchanged. Some slight modification, and it is working just fine for that purpose.

EDIT: I put together an example of packaging SlowAES and a modified version of Anandam's PBKDF2 into Windows Script Components. Using this AES with a password-derived key shows good interop with the .NET RijndaelManaged class.

EDIT2: the demo page shows how to use this AES encryption from a web page. Using the same inputs (iv, key, mode, etc) supported in .NET gives you good interop with the .NET Rijndael class. You can do a "view source" to get the javascript for that page.

EDIT3
a late addition: Javascript Cryptography considered harmful. Worth the read.

Stephen Rauch
  • 47,830
  • 31
  • 106
  • 135
Cheeso
  • 189,189
  • 101
  • 473
  • 713
  • 8
    +1 for [JavaScript Cryptography considered harmful](https://web.archive.org/web/20160323100711/https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/) – Mike Pennington Dec 28 '11 at 10:25
  • 1
    I see one valid use-case - HTML 5 app in which all files are stored localy. If local files can be hijacked then your doomed in any case ;-). – Nux Jan 09 '12 at 23:18
  • 8
    about edit3 link, it is a piece of crap of an article... half of its statements are completely false! – mjs Jan 10 '12 at 09:07
  • 1
    I hate when everyone fails to mention that ssl/tls is not a secure protocol, but in fact prone to attacks, especially from goverments which all serious security statements should ultimately consider. If you can't trust the NSA or the certificate provider, how can I ensure security between the user and my server? Further more, the user should also be protected against me, the server! I believe ssl/tls + javascript encryption is the way to go, and the motivitaion is secure javascript delivery + isolated private and public key generation. – mjs Jan 10 '12 at 09:39
  • 2
    The random key problem can be addressed by having the user move the mouse and enter keys as a true random generator. – mjs Jan 10 '12 at 09:39
  • 3
    The link to the demonstration page appears to be broken. – Sean Aug 31 '13 at 09:40
  • Also the link to the JS demo page in the slowAES page is broken, and there doesn't seem to be any documentation at all. – CpnCrunch Oct 24 '13 at 17:15
  • A clear working example of slowaes would be very useful... all the links are broken. – Shaun Budhram Mar 23 '14 at 07:17
  • @MikePennington the article says: "You could use SSL/TLS to solve this problem, but that's expensive and complicated." What did I missed?^^ – Martin Pfeffer Mar 02 '17 at 23:29
  • @MartinPfeffer I don't understand the question; please provide more context or better still ask a new question referencing this one – Mike Pennington Mar 03 '17 at 14:57
  • @momomo the article responds to your comment about JavaScript cryptography + TLS. Your task would be defeating the arguments already made against browser hosted cryptographic code listed in the article – Mike Pennington Mar 03 '17 at 15:22
31

In my searches for AES encryption i found this from some Standford students. Claims to be fastest out there. Supports CCM, OCB, GCM and Block encryption. http://crypto.stanford.edu/sjcl/

Janus Troelsen
  • 20,267
  • 14
  • 135
  • 196
Danny C
  • 2,980
  • 2
  • 28
  • 20
  • thats what I am talkin about! – mjs Jan 10 '12 at 09:07
  • 5
    Documentation is lacking, and it's hard to use. How do you change key length? I hunted round the docs and couldn't figure it out in a reasonable time. Also when you encrypt something you get an array of key-value pairs returned, but the docs don't seem to explain these. I ended up using the movable type library. – CpnCrunch Oct 24 '13 at 17:14
  • And this is not async so if you are encrypting or decrypting some longer string for example with AES-CBC, then it blocks the UI – rsz Sep 20 '16 at 20:15
13

Googling "JavaScript AES" has found several examples. The first one that popped up is designed to explain the algorithm as well as provide a solution:

Movable Type Scripts: AES

Samir Talwar
  • 14,220
  • 3
  • 41
  • 65
  • 1
    I couldn't figure out how to set the IV in that library. Also it's not very OO. – Cheeso May 13 '09 at 13:25
  • The equivalent of the IV in counter mode is the nonce. This implementation has been reformulated to be more OO. It does only include counter (CTR) mode of operation. – ChrisV Oct 01 '10 at 08:46
  • This works pretty well, except it doesn't have any ECB mode. – CpnCrunch Oct 24 '13 at 21:10
  • Googling it also shows up this question as the second result. – ublec May 04 '21 at 01:27
  • 1
    You'll have to forgive me; this answer is 12 years old, and Stack Overflow didn't show up on Google very often when I wrote it. :-) – Samir Talwar May 04 '21 at 15:45
12

This post is now old, but the crypto-js, may be now the most complete javascript encryption library.

CryptoJS is a collection of cryptographic algorithms implemented in JavaScript. It includes the following cyphers: AES-128, AES-192, AES-256, DES, Triple DES, Rabbit, RC4, RC4Drop and hashers: MD5, RIPEMD-160, SHA-1, SHA-256, SHA-512, SHA-3 with 224, 256, 384, or 512 bits.

You may want to look at their Quick-start Guide which is also the reference for the following node.js port.

node-cryptojs-aes is a node.js port of crypto-js

marcz
  • 1,178
  • 11
  • 12
  • 1
    Unfortunately the documentation is lacking. It only seems to have a 'quick start' guide. Where is the full documentation? It says it supports multiple key lengths, but no documentation on how to do that. – CpnCrunch Oct 24 '13 at 17:10
  • @CpnCrunch : the full API doc is not online, but the code as full javadoc api comments. And you can generate it. Read the comments on [cipher-core.js source](http://code.google.com/p/crypto-js/source/browse/tags/3.1.2/src/cipher-core.js) youl find cipher's key size and cipher's IV size. – marcz Mar 12 '14 at 11:00
  • weird, when i encrypt and decrypt back, the texts are different – OMGPOP Mar 19 '14 at 12:08
  • There are some conflicts because of use openssl – Vlad Jan 17 '20 at 11:50
9

Recently I had the need to perform some encryption/decryption interoperability between javascript and python.

Specifically...

1) Using AES to encrypt in javascript and decrypt in python (Google App Engine) 2) Using RSA to encrypt in javascript and decrypt in python (Google App Engine) 3) Using pycrypto

I found lots and lots of different versions of RSA and AES floating around the web and they were all different in their approach but I did not find a good example of end to end javascript and python interoperability.

Eventually I managed to cobble together something that suited my needs after a lot of trial and error.

Anyhow I knocked up an example of a js/webapp talking to a google app engine hosted python server that uses AES and public key and private key RSA stuff.

I though I'd include it here by link in case it will be of some use to others who need to accomplish the same thing.

http://www.ipowow.com/files/aesrsademo.tar.gz

and see demo at rsa-aes-demo DOT appspot DOT com

edit: look at the browser console output and also view source to get some hints and useful messages as to what's going on in the demo

edit: updated very old and defunct link to source to now point to

https://sestertii.com/files/aesrsademo.tar.gz

David Kierans
  • 1,599
  • 1
  • 16
  • 24
8

Judging from my own experience, asmcrypto.js provides the fastest AES implementation in JavaScript (especially in Firefox since it can fully leverage asm.js there).

From the readme:

Chrome/31.0
SHA256: 51 MiB/s (9 times faster than SJCL and CryptoJS)
AES-CBC: 47 MiB/s (13 times faster than CryptoJS and 20 times faster than SJCL)

Firefox/26.0
SHA256: 144 MiB/s (5 times faster than CryptoJS and 20 times faster than SJCL)
AES-CBC: 81 MiB/s (3 times faster than CryptoJS and 8 times faster than SJCL)

Edit: The Web Cryptography API is now implemented in most browsers and should be used as the primary solution if you care about performance. Be aware that IE11 implemented an earlier draft version of the standard which did not use promises.

Some examples can be found here:

Joel
  • 15,496
  • 7
  • 52
  • 40
7

Use CryptoJS

Here's the code: https://github.com/odedhb/AES-encrypt

And here's an online working example: https://odedhb.github.io/AES-encrypt/

Oded Breiner
  • 28,523
  • 10
  • 105
  • 71
4

Try asmcrypto.js — it's really fast.

PS: I'm an author and I can answer your questions if any. Also I'd be glad to get some feedback :)

vibornoff
  • 59
  • 2
  • asmcrypto.js is nice, but on IE10 its not works well. it hangs browser for more than 1 min sometimes, or at least 45 sec. Plus, I didn't understand, why you need to replace global Math function? there are lot of libraries which use this one. – decho Sep 26 '14 at 11:20
  • 2
    Could you comment on how you're sure it's working properly? IOW: How do you know you implemented AES properly? – Lodewijk Sep 26 '14 at 17:37
  • IE10 performance is poor due to it doesn't optimize asm.js at all. Also it has a bit different JIT patterns. Making the code work well in IE also makes it suck in Chrome and FF. Suppose I had right choice. Regarding to _Math.random_ there was a long [discussion](https://github.com/vibornoff/asmcrypto.js/issues/27). Shortly speaking this need for prevention of raw _Math.random_ output leakage (wich in theory may degrade PRNG security). – vibornoff Sep 29 '14 at 22:15
3

There is also a Stanford free lib as an alternative to Cryptojs

http://crypto.stanford.edu/sjcl/

Jai
  • 366
  • 2
  • 8
3

If you are trying to use javascript to avoid using SSL, think again. There are many half-way measures, but only SSL provides secure communication. Javascript encryption libraries can help against a certain set of attacks, but not a true man-in-the-middle attack.

The following article explains how to attempt to create secure communication with javascript, and how to get it wrong: Use JavaScript encryption module instead of SSL/HTTPS

Note: If you are looking for SSL for google app engine on a custom domain, take a look at wwwizer.com.

speedplane
  • 15,673
  • 16
  • 86
  • 138
  • 2
    Not sure why this was downvoted to oblivion, as it is a very good point that anyone thinking of implementing javascript encryption needs to at the very least consider. Upvoted. – Jules Feb 28 '14 at 18:41
  • Using client side crypto to avoid SSL is an old point which some people say to go against it: in fact it can add security to HTTPS, avoiding passive attacks, or be used in downloaded applications and browser extensions. I just saw once it being used wrong (my college, but they already fixed it) and many times used right (cryptocat, as a example). – Gustavo Rodrigues Aug 15 '15 at 20:15
2

Another solution w/AES-256 support: https://github.com/digitalbazaar/forge

dlongley
  • 2,078
  • 14
  • 17
2

Here is the only solution that worked for me:

http://www.hanewin.net/encrypt/aes/aes.htm

It's pretty basic, but simple to use and seems to work well.

CpnCrunch
  • 4,831
  • 1
  • 33
  • 31
2

http://www.movable-type.co.uk/scripts/aes.html library may be of some help.

Kirtan
  • 21,295
  • 6
  • 46
  • 61