5

I've created an encrypted cookie in .Net and I'm trying to decrypt it's content in nodejs. But nodejs keeps throwing the exception "TypeError: DecipherFinal fail"

In .Net I'm using the AES encryption method with the key

932D86BB1448EEAA423F38495A2290746D81C27E55D1DC264279537006D6F4CC.

My web.config file has the following row

<machineKey validationKey="A5326FFC9D3B74527AECE124D0B7BE5D85D58AFB12AAB3D76319B27EE57608A5A7BCAB5E34C7F1305ECE5AC78DB1FFEC0A9435C316884AB4C83D2008B533CFD9" 
decryptionKey="932D86BB1448EEAA423F38495A2290746D81C27E55D1DC264279537006D6F4CC" 
validation="SHA1" decryption="AES"  />

And the code that generates my cookie in .Net looks like this:

var ticket = new FormsAuthenticationTicket(0, "test", DateTime.Now, DateTime.Now.AddYears(1), true, "test");
var encryptedTicket = FormsAuthentication.Encrypt(ticket);
Response.Cookies.Add(new HttpCookie(cookieName, encryptedTicket));

The nodejs code that decrypts the cookie is

var crypto = require('crypto');
var logger = require('winston');
var deckey = "932D86BB1448EEAA423F38495A2290746D81C27E55D1DC264279537006D6F4CC";

function hex2a(hex) {
  var str = '';
  for (var i = 0; i < hex.length; i += 2)
    str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
  return str;
}

function decrypt(cookie) {          
  var ivc = cookie, iv, cipherText, ivSize = 16, res;

  ivc = new Buffer(ivc, 'hex');
  iv = new Buffer(ivSize);

  cipherText = new Buffer(ivc.length - ivSize);
  ivc.copy(iv, 0, 0, ivSize);
  ivc.copy(cipherText, 0, ivSize);

  iv = new Buffer(Array(16));
  c = crypto.createDecipheriv('aes-256-cbc', hex2a(deckey), iv.toString());
  res = c.update(cipherText, 'binary');
  res += c.final('binary'); //<-- throws TypeError: DecipherFinal fail
  return res;
 }

I'm kind of lost and I would appreciate tips or ideas on what could be the issue.

Kapil Khandelwal
  • 15,958
  • 2
  • 45
  • 52
Daniel
  • 381
  • 2
  • 12
  • Do you have a resource that tells you what kind of encryption is performed within `FormsAuthentication.Encrypt()`? Microsoft **again** does not specify the actual output of the method. – Maarten Bodewes Dec 16 '12 at 16:16
  • I've been having this same problem recently, against .Net 4.5. Has anyone made progress on decrypting the cookie in node? – JasonB Apr 18 '14 at 18:17
  • @JasonB I answered [a very similar question](http://stackoverflow.com/q/34882672/5128464) -- might be interesting for you. – vlp Oct 15 '16 at 23:38

3 Answers3

1

You can see the source code of Encryp and Decrypt here with all the different possibilities (Framework20SP1, Framework20SP2, etc)

https://github.com/Microsoft/referencesource/blob/master/System.Web/Security/FormsAuthentication.cs

It took me hours to read that code, but once you got it, it's possible to write a simple code just for your specific encryption settings.

david.sansay
  • 1,329
  • 1
  • 12
  • 13
  • [This part](https://github.com/Microsoft/referencesource/blob/4fe4349175f4c5091d972a7e56ea12012f1e7170/System.Web/Configuration/MachineKeySection.cs#L474) is quite relevant as well. – vlp Oct 09 '16 at 21:33
0

A key is not a String, take a look at the method fromCharCode():

The fromCharCode() method converts Unicode values into characters.

This means that any hexadecimal is converted to a textual character, while createDecipheriv() method specifies that:

key and iv must be 'binary' encoded strings or buffers.

Note that this is just one of the issues that may be present, I haven't had time to run the code (yet).

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
0

Your problem is probably a failure in automatic padding, turned on by default. You want to turn this off, by adding:

c.setAutoPadding(false);
skieter
  • 449
  • 4
  • 6