2

I have a Java Application that uses "AES-128 bits/ECB/PKCS5Padding" (java8 linux/window), the code is quite simple

        KeyGenerator keygen = KeyGenerator.getInstance("AES");
        SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
        secureRandom.setSeed(seed.getBytes());
        keygen.init(128, secureRandom);
        ...

Because I can't find the javascript equivalent to SHA1PRNG algorithm I can't decrypt the text using js code. But after reading Decrypt AES/CBC/PKCS5Padding with CryptoJS and with some trials I found that for an 128 bits seed (32 bits hex-string) using SHA1PRNG in java I can get the same result by SHA1 twice in js

CryptoJS.SHA1(CryptoJS.SHA1(seed)).toString().substring(0, 32) //using 'crypto-js'

The python code here also confirms that! But why ?

def get_sha1prng_key(key):
    '''[summary]
    encrypt key with SHA1PRNG
    same as java AES crypto key generator SHA1PRNG
    Arguments:
        key {[string]} -- [key]
    
    Returns:
        [string] -- [hexstring]
    '''
    signature = hashlib.sha1(key.encode()).digest()
    signature = hashlib.sha1(signature).digest()
    return ''.join(['%02x' % i for i in signature]).upper()[:32]

---- update ----

The comments I got suggested my question is a duplicated question. But I checked those 2 questions and I don't think so. But first of all, I knew the java codes misuse a pseudo random number generator and it is seed as a key derivation function, it is bad. But that is actually someone else codes and my job is to use js to decrypt the encrypted text.

Second, I haven't figured out why sha1 a 32bit hex-string twice will get the same result as java 8 SHA1PRNG sun implementation(and hence the question).

I read Use of "SHA1PRNG" in SecureRandom Class

"SHA1PRNG" is the name of a pseudo random number generator (the PRNG in the name). That means that it uses the SHA1 hash function to generate a stream of random numbers... There is no clear description of the algorithm available

Qiulang
  • 10,295
  • 11
  • 80
  • 129
  • Does this answer your question? [using sha1prng in both android and windows giving different sequences](https://stackoverflow.com/questions/9646993/using-sha1prng-in-both-android-and-windows-giving-different-sequences) – Peter O. Nov 11 '20 at 14:13
  • See also: https://stackoverflow.com/questions/16358035/encryption-algorithm-giving-different-results-on-android-2-1-and-versions-above/16362458#16362458 – Peter O. Nov 11 '20 at 14:14
  • Hi thanks for the comments but I don't think they answered my question. I want to know why sha1 twice will get the same result as SHA1PRNG. BTW I knew the java code misused a pseudo random number generator and it's seed as a key derivation function. But that is actually someone else codes and I need to decrypt it. – Qiulang Nov 11 '20 at 14:19
  • @PeterO. I updated my question to explained why I don't think it is a duplicated question. – Qiulang Nov 11 '20 at 14:27
  • 3
    You will have to know what specific Java runtime library is used by the Java application. As mentioned, there is no standard way to implement "SHA1PRNG" and the reason "why sha1 twice will get the same result as SHA1PRNG" is simply that that is the way the Java runtime library in question implements SHA1PRNG. – Peter O. Nov 11 '20 at 14:37
  • Thanks I asked the guy and maybe get back to you. – Qiulang Nov 11 '20 at 14:39
  • What do you mean by "why?" Because that is how the algorithm works. – President James K. Polk Nov 11 '20 at 16:08
  • @PresidentJamesK.Polk can you elaborate that or just answer my question ? – Qiulang Nov 12 '20 at 01:31
  • @PeterO. it is java 8 on linux – Qiulang Nov 12 '20 at 01:49
  • @PeterO. I agree with this comment. The code has been the same in the OpenJDK for ages, but it has been implemented differently in the past. And since people without sufficient knowledge on cryptography use it for key derivation (rather than a KDF such as HKDF or PBKDF2) with a predefined seed, that's a very risky thing. The best and only way is to take a look at the source code, decrypt what you can and then replace the protocol post-haste. The "how" question is not interesting, the "why the heck" question is much more important. Similar for ECB mode of course. – Maarten Bodewes Nov 12 '20 at 17:47

0 Answers0