3

I want to create an iOS mobile application which is to communicate with my Node.js web application. To encrypt the data being sent from the mobile device to the web application, I've decided to use AES 256 encryption and then converting to base64. The problem is that all the Objective-C libraries that I found do not have the same output (for the same password and input text) as the Node.js ones. I don't know what to do...

Here are some of the iOS libraries:

Also, for the Node.js platform I tried these libraries:

  • all these four libraries

  • based on this example I've constructed mine:

    var crypto = require('crypto'); 
var key = "onceuponatime";
var toCrypt = "Hello World!"; 
var output = ''; 
var decrypted = '';

var cipher = crypto.createCipher('aes256', key); 
output += cipher.update(toCrypt, 'utf-8', 'base64');

output += cipher.final('base64');

console.log(output);

var deCipher = crypto.createDecipher('aes256', key); 
decrypted += deCipher.update(output,'base64','utf-8');

decrypted += deCipher.final('utf-8');

console.log(decrypted);

Using FBEncryptor and my Node.js example I get the following encrypted base64 strings for the input I've provided: 7TsBLBvS6A1iByn9OTkzWA== and mZ9cf4oklVN2ZnD0oQ0Tjw==. Could you help me find a solution where I would get the same encrypted string both on iOS and on Node.js? Thanks.

Vishal Sojitra
  • 195
  • 8
Teo
  • 3,394
  • 11
  • 43
  • 73
  • Show your iOS code along with your test input and output. If using FBEncryptor which method are you using. There are several things that need to be known: algorithm, key size, key, mode, iv if not ECB mode, ii padding done, if so how is it done. These need to be known and the problem with packaged methods is that this information may not be available. – zaph Jan 02 '14 at 14:07
  • @Theo. there are different versions of AES256. Checkout http://nodejs.org/api/crypto.html#crypto_crypto_getciphers to see what node supports. On the other side it may help to know which one FBEncryptor uses – bodokaiser Jan 02 '14 at 14:45
  • @bodokaiser What do you mean "different versions of AES256"? There is only one version. Perhaps you mean different Node.js functions? – zaph Jan 02 '14 at 17:23
  • @Zaph Did you check out the link I gave you? There are 'AES-128-CBC', 'AES-128-CBC-HMAC-SHA1'and a couple of more. So I would suggest its the same with the AES256 algorithm. – bodokaiser Jan 02 '14 at 20:00
  • 1
    @bodokaiser "AES-128-CBC-HMAC-SHA1" is not a different version of AES, it describes a Node.js function. "128" specifies a key length, "CBC" specifies the CBC mode and will require an iv. The "HMAC-SHA1" is an additional operation the Node.js function performs. AES encrypts and decrypts to and from 8-bit data. One of the problems with scripting languages is they hide what is really happening making it difficult to achieve interoperability. Basically, if a developer does not understand encryption the developer should not be using encryption, a single error (bug) in security is a total failure. – zaph Jan 02 '14 at 21:31

1 Answers1

8

If you look at the source code for FBEncryptor, you'll see that it creates a 32-byte zero-filled buffer for the key and a 16-byte zero-filled buffer for the IV. The key is then copied into the key buffer. The IV buffer is untouched. In order to produce the same output via Node.js, we need to replicate what is happening inside FBEncryptor.

Instead of using crypto.createCipher, you'll need to use crypto.createCipheriv and supply the IV. Same goes for crypto.createDecipher.

So let's walkthrough the node.js code:

var crypto = require('crypto'); 
var key     = "onceuponatime";
var toCrypt = "Hello World!";

This is unchanged from your original script. We simply import the crypto module and set up the encryption key and the string to be encrypted.

// Create the 32-byte zero-filled key buffer
keyBuf = new Buffer(Array(32));
// Copy the key into this buffer
keyBuf.write(key, 'utf8');

// Create the 16-byte zero-filled IV buffer
ivBuf = new Buffer(Array(16));

Here we create the key and IV buffers that we'll use to encrypt toCrypt. 

var cipher = crypto.createCipheriv('aes256', keyBuf, ivBuf); 
output = cipher.update(toCrypt, 'utf-8', 'base64') + cipher.final('base64');
console.log(output);

Next, we set up the cipher with the key and IV buffers and encrypt toCrypt. This produces 7TsBLBvS6A1iByn9OTkzWA== which is the same as FBEncryptor. 

var deCipher = crypto.createDecipheriv('aes256', keyBuf, ivBuf); 
decrypted = deCipher.update(output,'base64','utf-8') + deCipher.final('utf-8');
console.log(decrypted);

Here we set up the decipher with the key and IV buffers and decrypt the encrypted string. This produces the output Hello World!.

neilco
  • 7,964
  • 2
  • 36
  • 41