0

I am trying to encrypt the password using AES algorithm in android.The backend is done using the CryptojS library and it can not be changed.I need to send the encrypted password to the backend.I have tried with the below code:

  fun encryptNew(key: String, value: String): String? {
    try {
        val secretKey: SecretKey = SecretKeySpec(
            Base64.decode(
                key.toByteArray(),
                Base64.NO_WRAP
            ), "AES"
        )
        val iv: AlgorithmParameterSpec = IvParameterSpec(
            Base64.decode(
                key.toByteArray(),
                Base64.NO_WRAP
            )
        )
        val cipher =
            Cipher.getInstance("AES/CBC/PKCS5Padding")


        cipher.init(Cipher.ENCRYPT_MODE, secretKey, iv)
        return String(
            Base64.encode(
                cipher.doFinal(value.toByteArray(charset("UTF-8"))),
                Base64.NO_WRAP
            )
        )
    } catch (e: java.lang.Exception) {
        Log.d("1111","2222")
        e.printStackTrace()
    }
    return null
}

But it returns null and showing exception as java.security.invalidkeyexception: unsupported key size: 20 bytes. The code for backend is

      const encrypt = CryptoJS.AES.encrypt(str, secret);
      return encrypt.toString();

Can anyone help me on this? Note:secret key is to be 32 byte value is the password which is needed to be encypted

anju jo
  • 203
  • 1
  • 13
  • The problem in your Kotlin code is that you apply your 32 bytes key also as IV, but AES needs a 16 bytes IV. The IV is usually randomly generated for each encryption, is not secret and is passed to the recipient along with the ciphertext. By the way, passwords are usually not encrypted, but hashed. – Topaco Jan 04 '21 at 21:26
  • Also, the CryptoJS code seems to apply a password instead of a key (otherwise either the IV or the ECB mode would have to be specified). The password is used to derive a 32 bytes key and an IV via the (deprecated) OpenSSL KDF `EVP_BytesToKey`. In the Kotlin code, however, the key and IV are specified directly, i.e. both codes are not compatible. – Topaco Jan 04 '21 at 21:33
  • The answer to this question on SO will help you: https://stackoverflow.com/a/63701411/8166854 as it has an implementation of the key derivation function that is needed to generate a key and iv from a given password. – Michael Fehr Jan 04 '21 at 21:42
  • @Topaco thank you for your reply.The server side is using 32 byte key and I cant change it.Also they are not using iv (may be auto generated) so that we cant pass the iv to backend – anju jo Jan 04 '21 at 21:48
  • As already mentioned, key and IV are automatically derived in the CryptoJS code from the password using the key derivation function `EVP_BytesToKey`. So you have to mimic the logic of `EVP_BytesToKey` in the Kotlin code. You can find implementations of this function for various languages on the Internet. Note that `EVP_BytesToKey` is deprecated and should only be used for compatibility reasons, as in this case. – Topaco Jan 04 '21 at 22:02

0 Answers0