CryptoJS AES encryption and Java AES decryption

by

Disclaimer: Do not use encryption unless you understand encryption concepts including chaining mode, key derivation functions, IV and block size. And don’t roll your own security scheme but stick to an established one. Just throwing in encryption algorithms doesn’t mean an application has become any more secure.

CryptoJS implements the same key derivation function as OpenSSL and the same format to put the IV into the encrypted data. So all Java code that deals with OpenSSL encoded data applies.

Given the following Javascript code:

var text = "The quick brown fox jumps over the lazy dog. 👻 👻";
var secret = "René Über";
var encrypted = CryptoJS.AES.encrypt(text, secret);
encrypted = encrypted.toString();
console.log("Cipher text: " + encrypted);

We get the cipher text:

U2FsdGVkX1+tsmZvCEFa/iGeSA0K7gvgs9KXeZKwbCDNCs2zPo+BXjvKYLrJutMK+hxTwl/hyaQLOaD7LLIRo2I5fyeRMPnroo6k8N9uwKk=

On the Java side, we have

String secret = "René Über";
String cipherText = "U2FsdGVkX1+tsmZvCEFa/iGeSA0K7gvgs9KXeZKwbCDNCs2zPo+BXjvKYLrJutMK+hxTwl/hyaQLOaD7LLIRo2I5fyeRMPnroo6k8N9uwKk=";

byte[] cipherData = Base64.getDecoder().decode(cipherText);
byte[] saltData = Arrays.copyOfRange(cipherData, 8, 16);

MessageDigest md5 = MessageDigest.getInstance("MD5");
final byte[][] keyAndIV = GenerateKeyAndIV(32, 16, 1, saltData, secret.getBytes(StandardCharsets.UTF_8), md5);
SecretKeySpec key = new SecretKeySpec(keyAndIV[0], "AES");
IvParameterSpec iv = new IvParameterSpec(keyAndIV[1]);

byte[] encrypted = Arrays.copyOfRange(cipherData, 16, cipherData.length);
Cipher aesCBC = Cipher.getInstance("AES/CBC/PKCS5Padding");
aesCBC.init(Cipher.DECRYPT_MODE, key, iv);
byte[] decryptedData = aesCBC.doFinal(encrypted);
String decryptedText = new String(decryptedData, StandardCharsets.UTF_8);

System.out.println(decryptedText);

The result is:

The quick brown fox jumps over the lazy dog. 👻 👻

That’s the text we started with. And emojis, accents and umlauts work as well.

GenerateKeyAndIV is a helper function that reimplements OpenSSL’s key derivation function EVP_BytesToKey (see https://github.com/openssl/openssl/blob/master/crypto/evp/evp_key.c).

/**
 * Generates a key and an initialization vector (IV) with the given salt and password.
 * <p>
 * This method is equivalent to OpenSSL's EVP_BytesToKey function
 * (see https://github.com/openssl/openssl/blob/master/crypto/evp/evp_key.c).
 * By default, OpenSSL uses a single iteration, MD5 as the algorithm and UTF-8 encoded password data.
 * </p>
 * @param keyLength the length of the generated key (in bytes)
 * @param ivLength the length of the generated IV (in bytes)
 * @param iterations the number of digestion rounds 
 * @param salt the salt data (8 bytes of data or <code>null</code>)
 * @param password the password data (optional)
 * @param md the message digest algorithm to use
 * @return an two-element array with the generated key and IV
 */
public static byte[][] GenerateKeyAndIV(int keyLength, int ivLength, int iterations, byte[] salt, byte[] password, MessageDigest md) {

    int digestLength = md.getDigestLength();
    int requiredLength = (keyLength + ivLength + digestLength - 1) / digestLength * digestLength;
    byte[] generatedData = new byte[requiredLength];
    int generatedLength = 0;

    try {
        md.reset();

        // Repeat process until sufficient data has been generated
        while (generatedLength < keyLength + ivLength) {

            // Digest data (last digest if available, password data, salt if available)
            if (generatedLength > 0)
                md.update(generatedData, generatedLength - digestLength, digestLength);
            md.update(password);
            if (salt != null)
                md.update(salt, 0, 8);
            md.digest(generatedData, generatedLength, digestLength);

            // additional rounds
            for (int i = 1; i < iterations; i++) {
                md.update(generatedData, generatedLength, digestLength);
                md.digest(generatedData, generatedLength, digestLength);
            }

            generatedLength += digestLength;
        }

        // Copy key and IV into separate byte arrays
        byte[][] result = new byte[2][];
        result[0] = Arrays.copyOfRange(generatedData, 0, keyLength);
        if (ivLength > 0)
            result[1] = Arrays.copyOfRange(generatedData, keyLength, keyLength + ivLength);

        return result;

    } catch (DigestException e) {
        throw new RuntimeException(e);

    } finally {
        // Clean out temporary data
        Arrays.fill(generatedData, (byte)0);
    }
}

Note that you have to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy. Otherwise, AES with key size of 256 won’t work and throw an exception:

java.security.InvalidKeyException: Illegal key size

Update

I have replaced Ola Bini’s Java code of EVP_BytesToKey, which I used in the first version of my answer, with a more idiomatic and easier to understand Java code (see above).

Also see How to decrypt file in Java encrypted with openssl command using AES?.

More Related Contents:

  1. How to decrypt an encrypted AES-256 string from CryptoJS using Java? [closed]
  2. Java 256-bit AES Password-Based Encryption
  3. Encrypt Password in Configuration Files? [closed]
  4. Given final block not properly padded
  5. Image encryption/decryption using AES256 symmetric block ciphers [closed]
  6. Java equivalent of an OpenSSL AES CBC encryption
  7. Java, How to implement a Shift Cipher (Caesar Cipher)
  8. Handling Java crypto exceptions
  9. How to encrypt or decrypt with Rijndael and a block-size of 256 bits?
  10. Using SHA1 and RSA with java.security.Signature vs. MessageDigest and Cipher
  11. Better way to create AES keys than seeding SecureRandom
  12. javax.crypto.BadPaddingException
  13. How can I list the available Cipher algorithms?
  14. How are the IV and authentication tag handled for “AES/GCM/NoPadding”?
  15. Breaking down RSA/ECB/OAEPWithSHA-256AndMGF1Padding
  16. How to convert a letter to an another letter in Java [duplicate]
  17. Initial bytes incorrect after Java AES/CBC decryption
  18. How do I use 3DES encryption/decryption in Java?
  19. Which Cipher Suites to enable for SSL Socket?
  20. Encryption of video files?
  21. Converting a Java Keystore into PEM Format
  22. JSchException: Algorithm negotiation fail
  23. Registering multiple keystores in JVM [duplicate]
  24. How do I generate a SALT in Java for Salted-Hash?
  25. java equivalent to php’s hmac-SHA1
  26. Java openssl encryption / decryption key generation [duplicate]
  27. java.io.IOException: Invalid Keystore format
  28. Is Cipher thread-safe?
  29. How can I make my AES encryption identical between Java and Objective-C (iPhone)?
  30. SecureRandom with NativePRNG vs SHA1PRNG

Leave a Comment