AES Encrypt in CryptoJS and decrypt in Coldfusion

by

There seem to be two issues:

  1. CryptoJS is not using your variable as the key. As @Miguel-F mentioned, when you pass in a string, “it’s treated as a passphrase and used to derive [the] actual key and IV”. Both are randomly generated, which is why your encrypted result keeps changing. But more importantly, this means that CryptoJS is using a completely different key than the one in your CF code and that is why decrypt() fails. (At least it is part of the reason …)

  2. The second problem is that in addition to the algorithm “AES”, there are two other encryption settings which must match: mode and padding scheme. While CryptoJS and ColdFusion use the same defaults for padding scheme, the “modes” are different:

You need to ensure all three settings are the same on both sides. Try using CBC mode in CF, since it is more secure than ECB anyway. Note: It requires adding an IV value.

CF Code:

<!--- this is the base64 encrypted value from CryptoJS ---> 
<cfset encrypted = "J2f66oiDpZkFlQu26BDKL6ZwgNwN7T3ixst4JtMyNIY=">
<cfset rawString = "[email protected]">
<cfset base64Key = "MTIzNDU2NzgxMjM0NTY3OA==">
<cfset base64IV = "EBESExQVFhcYGRobHB0eHw==">

<cfset ivBytes = binaryDecode(base64IV, "base64")>
<cfoutput>
    #decrypt(encrypted, base64Key, "AES/CBC/PKCS5Padding", "base64", ivBytes)#
</cfoutput>

CryptoJS: (Adjusted Original Example)

<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/aes.js"></script>
<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/components/enc-base64-min.js"></script>
<script>
    var text = "#rawString#";
    var key = CryptoJS.enc.Base64.parse("#base64Key#");
    var iv  = CryptoJS.enc.Base64.parse("#base64IV#");

    var encrypted = CryptoJS.AES.encrypt(text, key, {iv: iv});
    console.log(encrypted.toString());

    var decrypted = CryptoJS.AES.decrypt(encrypted, key, {iv: iv});
    console.log(decrypted.toString(CryptoJS.enc.Utf8));
</script>

Edit:

All that said, what do you mean by the client “has no choice but to use CryptoJS to perform the encryption”? Why cannot they use server side encryption? I am not an encryption expert, but doing encryption in javascript, and exposing the key on the client, does not sound wildly secure to begin with …

More Related Contents:

  1. Javascript AES encryption [closed]
  2. Encrypt with PHP, Decrypt with Javascript (cryptojs)
  3. Encryption in JavaScript and decryption with PHP
  4. What are the AES parameters used and steps performed internally by crypto-js while encrypting a message with a password?
  5. How to decrypt password from JavaScript CryptoJS.AES.encrypt(password, passphrase) in Python
  6. How to decrypt message with CryptoJS AES. I have a working Ruby example
  7. How to decrypt an encrypted AES-256 string from CryptoJS using Java? [closed]
  8. How can I hide or encrypt JavaScript code? [duplicate]
  9. Encrypt in PHP openssl and decrypt in javascript CryptoJS
  10. How to encrypt data that needs to be decrypted in node.js?
  11. Encrypt string in PHP and decrypt in Node.js
  12. How can I encrypt JavaScript code so that it’s not decryptable?
  13. Simplest way to obfuscate and deobfuscate a string in JavaScript
  14. Using Crypto-JS in Google Apps Script – What is C.lib?
  15. How to decipher string in node js which is encrypted in crypto js in javascript
  16. Google Maps infoWindow only loading last record on markers
  17. How to make cross domain request [duplicate]
  18. When serving JavaScript files, is it better to use the application/javascript or application/x-javascript
  19. JavaScript – why Array.prototype.fill actually fills a “pointer” of object when filling anything like ‘new Object()’
  20. this.setState isn’t merging states as I would expect
  21. In javascript how can I dynamically get a nested property of an object
  22. Why is the variable holding the input value always logged as empty?
  23. How to ONLY trigger parent click event when a child is clicked
  24. jQuery min/max property from array of elements
  25. Top-level await does not work with node 14.13.-
  26. Angular $http is sending OPTIONS instead of PUT/POST
  27. Overriding XMLHttpRequest.open()
  28. How to get difference between 2 Dates in Years, Months and days using moment.js
  29. form with no action and where enter does not reload page
  30. How to catch error and continue executing a sequence in RxJs?

Leave a Comment