Javascript encryption that match with PHP decryption

Question

I have the php code as below, and I want to create a Javascript functions that work the same as the php code below. Also, the data that encrypted in Javascript can also decrypt in php. `

<?php
class Security {
    public static function encrypt($input, $key) {
        $size = mcrypt_get_block_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_ECB); 
        $input = Security::pkcs5_pad($input, $size); 
        $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_ECB, ''); 
        $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND); 
        mcrypt_generic_init($td, $key, $iv); 
        $data = mcrypt_generic($td, $input); 
        mcrypt_generic_deinit($td); 
        mcrypt_module_close($td); 
        $data = base64_encode($data); 
        return $data; 
    } 
    private static function pkcs5_pad ($text, $blocksize) { 
        $pad = $blocksize - (strlen($text) % $blocksize); 
        return $text . str_repeat(chr($pad), $pad); 
    } 
    public static function decrypt($sStr, $sKey) {
        $decrypted= mcrypt_decrypt(
            MCRYPT_RIJNDAEL_128,
            $sKey, 
            base64_decode($sStr), 
            MCRYPT_MODE_ECB
        );
        $dec_s = strlen($decrypted); 
        $padding = ord($decrypted[$dec_s-1]); 
        $decrypted = substr($decrypted, 0, -$padding);
        return $decrypted;
    }   
}
?>

`

So you want somebody to write the Javascript for you? (PS: Why bother and not use a HTTPS connection) — Ed Heal, Apr 16 '16 at 06:25
**Never use [ECB mode](http://crypto.stackexchange.com/q/14487/13022)**. It's deterministic and therefore not semantically secure. You should at the very least use a randomized mode like [CBC](http://crypto.stackexchange.com/q/22260/13022) or [CTR](http://crypto.stackexchange.com/a/2378/13022). It is better to authenticate your ciphertexts so that attacks like a [padding oracle attack](http://crypto.stackexchange.com/q/18185/13022) are not possible. This can be done with authenticated modes like GCM or EAX, or with an [encrypt-then-MAC](http://crypto.stackexchange.com/q/202/13022) scheme. — Artjom B., Apr 16 '16 at 09:52
How are you transmitting the key? If you do that over an insecure connection, then this is simple obfuscation and does not provide any security. See: [Javascript Cryptography Considered Harmful](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/) — Artjom B., Apr 16 '16 at 09:56

score -3 · Answer 1 · edited May 23 '17 at 10:33

-3

Use crypto.js at javascript end. Reference over here

Javascript

  var key = CryptoJS.enc.Hex.parse("0123456789abcdef0123456789abcdef");
    var iv = CryptoJS.enc.Hex.parse("abcdef9876543210abcdef9876543210");
    /*
     if you wish to have a more friendly key, you can convert letters to Hex this way:
     var a = "D";
     var hex_D = a.charCodeAt(0).toString(16);
     just to mention,
     if it were to binary, it would be:
     var binary_D = a.charCodeAt(0).toString(2);
     */

    var secret = "secret key goes here";

    //crypted
    var encrypted = CryptoJS.AES.encrypt(secret, key, {iv : iv});
    //and the ciphertext put to base64
    encrypted = encrypted.ciphertext.toString(CryptoJS.enc.Base64);
    //Assuming you have control on the server side, and know the key and iv hexes(we do),
    //the encrypted var is all you need to pass through ajax,
    //Let's follow with welcomed pure JS style, to reinforce one and other concept if needed
    var xh = new XMLHttpRequest();
    xh.open("POST", "php.php", true);
    xh.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    xh.send("encrypted=" + encodeURIComponent(encrypted));
    xh.onreadystatechange = function() {
        if (xh.readyState == 4 && xh.status == 200) {
            var myArr = (xh.responseText);
            console.log(myArr);
        }
    };

At PHP

<?php
//Here we have the key and iv which we know, because we have just chosen them on the JS,
//the pack acts just like the parse Hex from JS

$key = pack("H*", "0123456789abcdef0123456789abcdef");
$iv = pack("H*", "abcdef9876543210abcdef9876543210");

//Now we receive the encrypted from the post, we should decode it from base64,
$encrypted = base64_decode($_POST["encrypted"]);
$shown = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $encrypted, MCRYPT_MODE_CBC, $iv);

echo trim($shown);
//Although the decrypted is shown, there may be needed to trim and str_replace some \r \n \x06 \x05, if there is not a better "trim" way to do it though
?>

You can use JXG compressor too

edited May 23 '17 at 10:33

Community

1
1

answered Apr 16 '16 at 06:29

Keyur Sakaria

680
1
5
12

1

Excuse me, CryptoJS is only in node.js ? – Sowattana Sigen Apr 16 '16 at 06:34
1

No. it is available for browsers too https://code.google.com/archive/p/crypto-js/ – Keyur Sakaria Apr 16 '16 at 06:37
Is this link correct? https://github.com/sytelus/CryptoJS/tree/master/rollups if correct, what are the files that I have to include? – Sowattana Sigen Apr 16 '16 at 06:45
https://code.google.com/archive/p/crypto-js/downloads download the first one and use x64-core-min.js in the component folder – Keyur Sakaria Apr 16 '16 at 07:00
download this single file and it will work – Keyur Sakaria Apr 16 '16 at 07:04
When I include only x64-core-min.js, it will cause error "CryptoJS is not defined". – Sowattana Sigen Apr 16 '16 at 07:33
Please don't copy code without attribution. The code from this answer is found [in this answer](http://stackoverflow.com/a/33906234/1816580). – Artjom B. Apr 16 '16 at 09:59
1

Note that this is **not secure** if used over an HTTP connection. Browser Javascript is practically impossible to make secure due to the way it is delivered. – Luke Joshua Park Apr 16 '16 at 11:09
@ArtjomB. Yeah this was the code i was referring to, i was not able to find the link. thanks for giving me the link. I will update the answer – Keyur Sakaria Apr 18 '16 at 05:43

Javascript encryption that match with PHP decryption

1 Answers1