2

I have encrypted in flutter using dart library encrypt. Below is the code sample:

  import 'package:encrypt/encrypt.dart' as enc;
  final key = enc.Key.fromUtf8('Thisisasamplekeythatamusinginmyc'); //32 chars
  final iv = enc.IV.fromUtf8('thisismysampleiv');//16 chars

  String encryptMyData(String text) {
  final e = enc.Encrypter(enc.AES(key));
  final encrypted_data = e.encrypt(text, iv: iv);
  return encrypted_data.base64;
  }

I am able to encrypt but the issue arises when I try to decrypt the code using this code in JavaScript, using Crypto-JS:

const cryptkey = CryptoJS.enc.Utf8.parse('Thisisasamplekeythatamusinginmyc');
const crypted = CryptoJS.enc.Base64.parse("fdsUYHdv/5PoJSoZGwWppw==");

var decrypt = CryptoJS.AES.decrypt({ciphertext: crypted}, cryptkey, {
    iv: CryptoJS.enc.Hex.parse('thisismysampleiv'),
    mode: CryptoJS.mode.CBC,
    padding: CryptoJS.pad.Pkcs7
});

console.log(decrypt.toString(CryptoJS.enc.Utf8));

The problem is that it always returns an empty string, even using the AES.js library.

I have looked at this answer but same issue exists.

Adrian Mole
  • 49,934
  • 160
  • 51
  • 83
vin shaba
  • 167
  • 3
  • 12
  • The plaintext to your sample data is missing. – Topaco Feb 14 '22 at 21:44
  • That can be anything, any text you use. the function is encryptMyData("Sample Text") – vin shaba Feb 14 '22 at 21:46
  • The posted Dart code does not return the ciphertext `Ck4F8zbx79xebKbsdPKtsg==` for the plaintext `Sample Text` when using the key `Thisisasamplekeythatamusinginmyc` and the IV `thisismysampleiv`. Check this again. – Topaco Feb 14 '22 at 22:08
  • No this is just text sample data. Whatever it returns, how do i decrypt it in javascript that is my question. Thank you @Topaco – vin shaba Feb 14 '22 at 22:28
  • 1
    You make it unnecessarily difficult to answer the question. How is the reader supposed to know that the test data is inconsistent? Please post _valid and complete_ test data! – Topaco Feb 14 '22 at 22:38
  • I have edited the question with valid cypherText `fdsUYHdv/5PoJSoZGwWppw==`. Thank you – vin shaba Feb 14 '22 at 23:08

1 Answers1

3

The CryptoJS code is incomaptible because the IV is decoded incorrectly. Instead of the Hex encoder, the Utf8 encoder must be used.
Also, the encrypt library applies the CTR mode by default. Therefore, in the CryptoJS code the CTR mode must be used instead of the CBC mode:

const cryptkey = CryptoJS.enc.Utf8.parse('Thisisasamplekeythatamusinginmyc');
const cryptiv = CryptoJS.enc.Utf8.parse('thisismysampleiv')

// Decryption 
const crypted = CryptoJS.enc.Base64.parse("fdsUYHdv/5PoJSoZGwWppw==");
var decrypt = CryptoJS.AES.decrypt({ciphertext: crypted}, cryptkey, {
    iv: cryptiv,
    mode: CryptoJS.mode.CTR
});
console.log(decrypt.toString(CryptoJS.enc.Utf8));

// Encryption
var encrypt = CryptoJS.AES.encrypt("Sample Text", cryptkey, {
    iv: cryptiv,
    mode: CryptoJS.mode.CTR
});
console.log(encrypt.toString())
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js"></script>

Usually no padding is used for a stream cipher mode like CTR. Note that both libraries apply PKCS#7 padding by default and do not automatically disable it for a stream cipher mode. Therefore, the padding should be explicitly disabled on both sides (with padding: null on the Dart side and padding: CryptoJS.pad.NoPadding on the CryptoJS side).
Alternatively, a block cipher mode like CBC can be used on both sides. Then, padding must be applied (e.g. PKCS#7).

If a static IV is used beyond testing and a password for the key: Then, for security reasons, a key derivation function such as PBKDF2 should be applied. Also, for each encryption, a random IV should be generated, which is passed to the other side along with the ciphertext (typically concatenated).

Topaco
  • 40,594
  • 4
  • 35
  • 62