1

i have a mobile app developed on ionic and i have this portion of code that get a base64 string and encrypt it (the same thing for decryption) here is the code

     globalEncrypt(input: string): string {
    return crypto.AES.encrypt(input, '****************').toString();
  }
  
  globalDecrypt(input: string):string {
    return crypto.AES.decrypt(input, '****************', {
      iv: '****************',
      mode: crypto.mode.CBC,
      padding: crypto.pad.Pkcs7
    }).toString(crypto.enc.Utf8);
  }

NB: '****************' are strings of 16 length but note the same (key <> Iv).

this works fine.

the problème is that i tried to use the same AES in C# with the same configuration but i don't get the same result.

        public static string DecryptStringFromBytes(String TextBase64)
    {
            
            byte[] cipherText = Encoding.UTF8.GetBytes(TextBase64);  
            string plaintext = null;

            // Create an RijndaelManaged object  
            // with the specified key and IV.  
            using (var rijAlg = new RijndaelManaged())
            {
                //Settings  
                rijAlg.Mode = CipherMode.CBC;
                rijAlg.Padding = PaddingMode.PKCS7;
                rijAlg.FeedbackSize = 128;

                rijAlg.Key = Encoding.UTF8.GetBytes("****************");
                rijAlg.IV = Encoding.UTF8.GetBytes("****************"); ;

                // Create a decrytor to perform the stream transform.  
                var decryptor = rijAlg.CreateDecryptor(rijAlg.Key, rijAlg.IV);

                try
                {
                    // Create the streams used for decryption.  
                    using (var msDecrypt = new MemoryStream(cipherText))
                    {
                        using (var csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
                        {

                            using (var srDecrypt = new StreamReader(csDecrypt))
                            {
                                // Read the decrypted bytes from the decrypting stream  
                                // and place them in a string.  
                                plaintext = srDecrypt.ReadToEnd();

                            }

                        }
                    }
                }
                catch
                {
                    plaintext = "keyError";
                }
            }

            return plaintext;

    }

Any help will appreciated. Thank you

THEDOCTOR
  • 23
  • 5
  • The JavaScript code uses a password-based _key derivation_ because the 2nd parameter is passed to `encrypt()`/`decrypt()` as string. In the C# code, key and IV are passed _directly_. – Topaco Aug 10 '21 at 06:23
  • Hi 1-in javascript part, encrypt doesn't have IV as parametre but in the decrypt yes ;if i understand decrypt is not supposed to return the original message correctly ? 2-Cryptojs uses PBKDF2 (correct me if i'm wrong) and the salt is random and it's not saved anywhere ,so why the decrypt works fine ? – THEDOCTOR Aug 10 '21 at 09:19
  • In `globalEncrypt()` and `globalDecrypt()` key and IV are derived via a key derivation (s. [here](https://cryptojs.gitbook.io/docs/#the-cipher-input)). The _explicitly_ specified IV in `globalDecrypt()` is ignored. The key derivation is done with `EVP_BytesToKey()` (not PBKDF2). `globalEncrypt()` concatenates salt and ciphertext in OpenSSL format (`Salted__++`) and Base64 encodes the result. – Topaco Aug 10 '21 at 09:43
  • Thank you for answer it helped me step forward ;i found this [link](https://stackoverflow.com/questions/8008253/c-sharp-version-of-openssl-evp-bytestokey-method) that implement **EVP_BytesToKey()** .Now i have another problem on the WordArray.random that generate the salt randomly.i can't find any implentation for C#.[link_to_the_question](https://stackoverflow.com/questions/68732792/locking-for-cryptojs-lib-wordarray-alternative-in-c-sharp) if you could help on this too. – THEDOCTOR Aug 10 '21 at 19:55
  • In C#, (pseudo) random data can be generated e.g. with [`RNGCryptoServiceProvider`](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.rngcryptoserviceprovider?view=net-5.0), s. this [example](https://stackoverflow.com/a/7272904). – Topaco Aug 10 '21 at 20:18
  • Thanks again .What i didn't mention is that i want to decrypt with C# the text encrypted by the app (wich means encrypted by Cryptojs) and vise versa . i have a clear text and it's encrypted version by Cryptojs and i'm testing on it, but not getting the same result in C# .So again where it could be the problem ? Thank you – THEDOCTOR Aug 11 '21 at 07:42
  • I have already explained where the problem lies: The posted codes are not compatible. You have to adapt the C# code. Once you have done that, you need to post the revised code, preferably with test data (but don't overwrite the old post, add the data at the end). – Topaco Aug 11 '21 at 08:01
  • By the way, if you can change the CryptoJS code, I would strongly recommend doing so: Pass key and IV directly and if you want to apply a password, use PBKDF2. Then you don't need the proprietary and insecure `EVP_BytesToKey()`. – Topaco Aug 11 '21 at 08:04

0 Answers0