Create hash string in JavaScript based on C# decryptor

Question

I want use JavaScript to write an script to create a hash string, but this string should use some formula which my server side programmer use this in his code,

the C# code for decoding is :

private string Decrypt(string cipherText)
{
    string EncryptionKey = "MAKV2SPBNI99212";
    byte[] cipherBytes = Convert.FromBase64String(cipherText);
    using (Aes encryptor = Aes.Create())
    {
        Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(EncryptionKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });
        encryptor.Key = pdb.GetBytes(32);
        encryptor.IV = pdb.GetBytes(16);
        using (MemoryStream ms = new MemoryStream())
        {
            using (CryptoStream cs = new CryptoStream(ms, encryptor.CreateDecryptor(), CryptoStreamMode.Write))
            {
                cs.Write(cipherBytes, 0, cipherBytes.Length);
                cs.Close();
            }
            cipherText = Encoding.Unicode.GetString(ms.ToArray());
        }
    }
    return cipherText;
}

I don't have any idea to working on encrypt/decrypt strings in JavaScript. How can I write an script to encrypt strings in javascript ?

UPDATE: I found CryptoJS and use this code:

var ID = 12345;
var ciphertext = Crypto.AES.encrypt(ID, 'MAKV2SPBNI99212');

But the hashed string cannot accept by c# Decrypt method.

Possible duplicate of [JavaScript string encryption and decryption?](http://stackoverflow.com/questions/18279141/javascript-string-encryption-and-decryption) — lleaff, Feb 06 '17 at 12:04
Use Ajax to send the string from JavaScript to your C# server backend and get back an encrypted string. — Uwe Keim, Feb 06 '17 at 12:05
@lleaff Thanks, I found that question before but that solution not work for me :( — MajAfy, Feb 06 '17 at 12:06
@UweKeim Thanks for solution, we don't want decrypt strings, we have an ID so we want no body can guess this and so we want hash this id and then pass to server — MajAfy, Feb 06 '17 at 12:07
Your C# source code is using a static IV which means that plaintext recovery is very possible under the right circumstances. Not secure at all. It also has no integrity check so can be changed in transit and you will never know. — Luke Joshua Park, Feb 06 '17 at 18:58

score 0 · Answer 1 · answered Feb 06 '17 at 12:19

0

As you have an "encryptionKey" in your Sourcecode you don't want that key on your JavaScript-Code. JavaScript is Clientside and so unsecure (for this purpose) by definition.

Instead create an api-call: Simply call a Server-Side-Function and return the response as a string or JSon-Object.

So all you have to do is to call that function from outside. You did not provide any information whether you use asp.net or mvc so I cannot offer any code example but you should find more than enough resources for that on MSDN.

answered Feb 06 '17 at 12:19

Ole Albers

8,715
10
73
166

Thanks for your answer, I want use this code in a hybrid app and I will obfuscate my codes, now I don't know what is `EncryptionKey` value exactly. I found `CryptoJS` and use this code `var ciphertext = Crypto.AES.encrypt(ID, 'MAKV2SPBNI99212');` but the hash string is not accept by c# decryptor ! – MajAfy Feb 06 '17 at 12:36
3

Obfuscation does not work for security. There are un-obfuscation-tools out there. Seriously: Don't do that – Ole Albers Feb 06 '17 at 12:54
@MajAfy With due respect, your use of incorrect terminology and fundamentally flawed faith in the "security" of obfuscation shows that you really don't know enough about crypto to be implementing this yourself. If you want what you are working on to **actually be secure**, for both you and your users, you should really hire a professional security consultant or developer. Both your C# code and your planned changes are full of security holes. – Luke Joshua Park Feb 06 '17 at 18:54

Create hash string in JavaScript based on C# decryptor

1 Answers1