Javascript - How to secure the Key used to encrypt at client side

Question

I am encrypting some important content at client side using CryptoJS (AES). The code I am using is below:

   function encrypt(value) {
     var keyIV = 'Ei9sHWE25Jiol77Q';
     return CryptoJS.AES.encrypt(CryptoJS.enc.Utf8.parse(value), CryptoJS.enc.Utf8.parse(keyIV),
     {   keySize: 256 / 8,
        iv: CryptoJS.enc.Utf8.parse(keyIV),
        mode: CryptoJS.mode.CBC,
        padding: CryptoJS.pad.Pkcs7
     }).toString();
}

But as you see the key used to encrypt can be seen by anyone. How can I make this key secure or non human readable format or any other tricks to make sure the key is secure?

"Secure" from *whom*? The end user? You can't. Others while it's in transit? SSL. — T.J. Crowder, Oct 21 '16 at 11:51
Rule of thumb - you don't control anything on the client. If you send it to the user, they can get it if they're determined enough. — Joe Clay, Oct 21 '16 at 11:53
What about sending the data/value via ajax to a script (e.g. php) and get the encrypted data in return? — Marcus, Oct 21 '16 at 12:13
Use asymmetric encryption http://stackoverflow.com/questions/6116883/are-there-any-asymmetric-encryption-options-for-javascript — Marco A. Hernandez, Oct 21 '16 at 12:19

score 1 · Answer 1 · answered Oct 22 '16 at 05:26

You need to give more details on what you're trying to do and what your concerns are.

For example:

if clients should also be able to decrypt the data they're encrypting, then public key cryptography is out of the question (unless clients ask the server to decrypt the data for them, but then what's the point of encryption if the server will readily decrypt everything for you?)
are you concerned about clients decrypting data of other clients? If so, can your server generate a different key for each client? Should the server be able to decrypt data of clients (and thus requires a copy of all keys)?

There is rarely an absolute right answer in security. There are different tools for different purposes.

If I look at the OP’s code in Dev Tools, I can take his key and decrypt his encrypted data, by doing: const decrypted = CryptoJS.AES.decrypt(encrypted, key, { iv: iv }); console.log('decrypted: ', decrypted); const plaintext1 = decrypted.toString(CryptoJS.enc.Utf8); console.log('plaintext: ', plaintext1); What is the point of client side encryption, when the key cannot be secured? — Charles Robertson, Feb 05 '22 at 11:11

score -2 · Answer 2 · answered Oct 21 '16 at 12:18

-2

If you are only worry about the key, use a asymmetric encryption. You'll only need to store the public key at client side.

The encrypted data is save and cant by manipulated and you can decrypted it at server side with your private key.

answered Oct 21 '16 at 12:18

Marcus

1,910
2
16
27

Javascript - How to secure the Key used to encrypt at client side

2 Answers2