0

I am encrypting a token that is sent from JAVA code to Angular using Base64 encryption:

  String token = "1345BCHCNB";
  Cipher ecipher = Cipher.getInstance("AES");
  String mykey = "1234567891234567";
  SecretKey key = new SecretKeySpec(mykey.getBytes(), "AES");
  ecipher.init(Cipher.ENCRYPT_MODE, key);
  byte[] utf8 = token.getBytes("UTF-8");
  byte[] enc = ecipher.doFinal(utf8);
  String enctoken = Base64.encodeBase64(enc).toString());

Now i want to decrypt it on Angular side. I am not able to figure it out how to convert it back to actual token

Anik Islam Abhi
  • 25,137
  • 8
  • 58
  • 80
Rajat Nigam
  • 271
  • 1
  • 9
  • 26
  • You used AES for encryption. Base64 does not encrypt anything. What have you tried so far? – Jörn Buitink Jan 14 '16 at 11:04
  • Keep in mind that using symmetric encryption over an insecure channel (HTTP) is only a little obfuscation and doesn't provide *any* real security. If you use HTTPS, then you can just send your token in the clear without encrypting it. See more: [Javascript Cryptography Considered Harmful](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/) – Artjom B. Jan 14 '16 at 11:53
  • Stack Overflow is not a code translation service. Select a library that supports AES *encryption* and Base64 *encoding* and try to replicate it yourself. If you run into problems, then you can ask a specific question about it. – Artjom B. Jan 14 '16 at 11:54
  • 1
    @ArtjomB. You might want to expand on: "using symmetric encryption over an insecure channel (HTTP) is only a little obfuscation and doesn't provide any real security" considering that https sends the data using symmetric encryption. I feel that statement is overly broad. Of course using HTTPS is a much better solution to the user's needs. – zaph Jan 14 '16 at 13:23
  • @zaph Yes, you're right. I forgot the little word *"only"*. Clarification for Rajat: If the symmetric key that is used to encrypt some data is sent along with the ciphertext then an attacker who observes the traffic can easily use that key to decrypt the sniffed ciphertext. If on the other hand the symmetric key is properly shared with asymmetric crypto (RSA, Diffie-Hellman) it doesn't have to be sent in the clear to the client and can therefore provide proper security. There may be still other attacks possible, so it is better to use reviewed primitives such as TLS. – Artjom B. Jan 14 '16 at 13:39
  • Good clarification! Encryption can just move what is secret from the data to the encryption key and depending on how the key is secured may or not increase security. – zaph Jan 14 '16 at 13:41
  • @Artjom I dont need to send key along with cipher text because that key will be already known to both front end and server side application. I will just send the encoded data. – Rajat Nigam Jan 14 '16 at 13:45

1 Answers1

-1

Base64 is NOT about encryption, but it is an encoding flavour. You can always, with no key nor anything secret, get the original data.

In Javascript, it is implemented using the functions btoa and atob.

More infos here: http://www.w3schools.com/jsref/met_win_atob.asp

And a related topic: Base64 encoding and decoding in client-side Javascript

For the AES part, you could give a look at this topic: How to decrypt message with CryptoJS AES. I have a working Ruby example

Community
  • 1
  • 1
spi
  • 626
  • 4
  • 19
  • 2
    Actually, Base64 is not about encryption and neither about hashing. It's about _encoding_. A hashing algorithm is not reversible, an encoding algorithm is reversible. If you hash a value, you'll not be able to get the original data with some reverse algorithm. If you encode data you can decode it and get the original data back. – BackSlash Jan 14 '16 at 11:09
  • so what would be the best way to save my actual token from being visible to others – Rajat Nigam Jan 14 '16 at 11:12
  • Look at the links I gave you. They explain how to reverse your encrypting/encoding from a clientside Javascript application (using CryptoJS+window.atob) – spi Jan 14 '16 at 11:14
  • I tried to decode using atob but i got error as: "Error: Failed to execute 'atob' on 'Window': The string to be decoded is not correctly encoded." – Rajat Nigam Jan 14 '16 at 11:19
  • This is indeed an invalid value (percent and arobase). You should not invoke "toString" after invoking encodeBase64. toString on an array of bytes does not convert it to a correct string, but displays its adress on memory. Use new String(enc, "UTF-8") instead – spi Jan 14 '16 at 11:42
  • Base64 is not like hashing, hashing is a one-way function where the hashed value can not be recovered. Base64 is a "two-way" encoding where the original value can be recovered. – zaph Jan 14 '16 at 13:12