0

How do I decrypt a message when I have only the message and the key? I know the key (as a string), and the encrypted message is returned from my friend's API (as a string). My friend uses CryptoJS to encrypt with AES. How do I decrypt that message? I think my friend uses the default settings for everything (in CryptoJS).

I'm trying it with encrypt in flutter. The thing is encrypter.decrypt() accepts the type Encrypted and iv while I have the encrypted message as a String. How do I convert it to Encrypted? Also, how do I obtain the iv?

Here's an example of the known information (both are String)

Encrypted message: U2FsdGVkX1851cYw0S6LX/xhUwdy0R/1AlNun5L9Ykc=

Key Example: myKey111

I'm currently out of ideas.

Here's what I have currently

String key = 'myKey111';
    String keyB64 = base64.encode(utf8.encode(key));
    final keyKey = encrypt.Key.fromBase64(keyB64);
    String code = "U2FsdGVkX1851cYw0S6LX/xhUwdy0R/1AlNun5L9Ykc=";
    List<int> list = code.codeUnits;
    Uint8List bytes = Uint8List.fromList(list);
    final _encrypted = encrypt.Encrypted(bytes);
    print('KEY TEST: ${keyKey.base64}');
    final _encrypter = encrypt.Encrypter(encrypt.AES(
      keyKey,
      mode: encrypt.AESMode.cbc,
      padding: 'PKCS7',
    ));
    final iv = encrypt.IV.fromUtf8('myKey111');
    final _decrypted = _encrypter.decrypt(_encrypted, iv: iv);
C. Nutchanon
  • 39
  • 4
  • 1
    There are different parameters involved (mode, iv, ..) so your best option is to ask for the encrypting code and use the same parameters to decrypt, otherwise we would just assume the parameters (all the defaults). For the code - what do you have? SO is not a service to write the code, tutorials or translate to another language. – gusto2 Jan 19 '22 at 15:58
  • I've added the code in – C. Nutchanon Jan 19 '22 at 16:08
  • 1
    If the ciphertext is Base64 decoded, it starts with the ASCII encoding of `Salted__`. This points to the OpenSSL format. If so, the prefix is followed by an 8 bytes salt and the actual ciphertext. The key derivation function `EVP_BytesToKey()` is used (MD5 digest, iteration count 1), which expects salt and password (`myKey111`) as input and outputs key and IV. The last two are then used to decrypt the actual ciphertext. [This](https://stackoverflow.com/a/60648119/9014097) could be a suitable Dart implementation, not tested. – Topaco Jan 19 '22 at 16:16
  • @Topaco this comment assumes a lot of information not present in the question.. – gusto2 Jan 19 '22 at 16:39
  • 2
    @gusto2 - The OP describes that the other side uses CryptoJS. CryptoJS in turn generates the ciphertext in OpenSSL format when passwords are used (which is the case here). Moreover, the Base64 encoded ciphertext starts with the prefix U2FsdGVkX1, which is characteristic for the OpenSSL format. These are *not* guesses. Apart from that, I'm just describing what the OP has to do to verify this. – Topaco Jan 19 '22 at 17:09
  • "U2FsdGVk" is literally the base 64 encoding of "Salted" in ASCII so yeah, of course. – Maarten Bodewes Jan 19 '22 at 17:52
  • @Topaco Thanks. I will look further into the details you provided – C. Nutchanon Jan 19 '22 at 18:21
  • @MaartenBodewes What actually is "Salt" in AES encryption? I don't think I quite get it. Is it just a randomly generated sequence that is attached at the front of the ciphertext? – C. Nutchanon Jan 19 '22 at 18:22
  • What happens is that there is an OpenSSL specific PBKDF - a password based key derivation function - called `EVP_BytesToKey`; (some claim it to be a form of PBKDF1, a standardized PBKDF, I still have to verify that). This PBKDF takes a salt and iteration count to convert a password to a key, which is then used by the cipher. So the salt is not specific to AES: it is specific to the PBKDF where it is just used to avoid rainbow table and related attacks. So this encryption is not really just encryption, it is key derivation + encryption. – Maarten Bodewes Jan 19 '22 at 18:52
  • CryptoJS later added a clean encryption version by overloading the function where you can use a specific key and IV by the way, i.e. no key derivation takes place. – Maarten Bodewes Jan 19 '22 at 18:54

0 Answers0