I've been working on something that encrypts a piece of data in Ruby using OpenSSL and decrypts the data in JavaScript using the JavaScript Forge library.
The (unsecure, but this is for research only) method of distributing the keys works fine, i.e., I can generate the keys in Ruby and put them into PEM format, pass the PEM to JavaScript and recover a working key in JavaScript, however encrypting the same string using the same key gives two different results, so encoding/decoding between the two obviously don't work.
Is there a good way of doing this?
The other problem is that passing a binary data string from Ruby to JavaScript without getting an incompatible type error requires some sort of conversion, for example, converting the encrypted data to hex, but working with this kind of information in the forge library is proving difficult.
I actually solved my own problem, in my original question
I just wasn't doing it right
For future reference, if you are using the ruby openssl RSA encryption and want to pass it to javascript, I recommend using the https://github.com/digitalbazaar/forge library for the JS side,
second, convert encrypted strings to hex using .unpack('H*')
Forge PKI library has a .hexToBytes() function, you can then use the forge .decrypt method and get back what you started
Related
I'm currently experimenting AES encryption using Google App Script, and I found out about cCryptoGS.
It feels weird, as like all ciphered texts seem to start with U2FsdGVkX1 (even though I change the part this is my passphrase in the example to something else very very different). I am not sure if I remembered correctly, I once tried AES in the past, but on Nodejs, and it looked just so much different, I'll get completely different text ciphered out even if I change only a single character in either my message, or my key.
Even in this post How is AES implemented in CryptoJS?, the ciphered text also starts with U2FsdGVkX1.
What I am asking is this: Is this cCryptoGS actually do what it claims to do? (i.e to apply AES encryption to a message)
Here's the website https://ramblings.mcpher.com/gassnippets2/cryptojs-libraries-for-google-apps-script/ There are also graphs on the site to show that Google App Script cannot handle complicated calculations well, so it looks legit, but the result seems to be so... weird... Since, overall AES seemed to be one of the best option to do encryption.
If this is indeed how AES should work, is there any way that I can make it seems more random? Thank you so much in advance, :(
Thank you very much in advance,
CryptoJS can process both passphrases and keys for encryption and decryption. Strings are interpreted as passphrases, WordArrays as keys, s. The Cipher Input.
cCryptoGS wraps the passphrase variant and supports the algorithms AES, DES, TripleDES and Rabbit, see Usage.
E.g. for AES, cCryptoGS/CryptoJS encrypts with AES-256, whereby a passphrase must be passed in addition to the plaintext.
Before encryption a random 8 bytes salt is generated and from passphrase and salt a 32 bytes key and 16 bytes IV is derived with the OpenSSL key derivation function EVP_BytesToKey().
The result is generated in OpenSSL format for compatibility with OpenSSL, which consists of the ASCII encoding of Salted__ followed by the 8 bytes salt and the actual ciphertext, with the entire expression Base64 encoded.
The Base64 encoding of Salted__ is U2FsdGVkX18=, where U2FsdGVkX1 is fixed (the last two characters depend on the 1st byte of the salt and can therefore change). Thus, any encryption starts with U2FsdGVkX1, but this does not reveal any information.
So yes, it is encrypted with AES-256, and the constant prefix U2FsdGVkX1 is not critical.
However, the key derivation function EVP_BytesToKey() is deemed insecure nowadays, especially with the parameters used by cCryptoGS/CryptoJS (broken MD5 digest and an iteration count of 1), s. e.g. here, 3rd part, so its use cannot actually be recommended (apart for compatibility maybe).
This applies to the wrapped functionalities that use passphrases for encryption/decryption. cCryptoGS also directly allows the use of CryptoJS functions, see CryptoJS direct, whose security is to be assessed individually.
The secure way is to pass key and IV directly, or when using a passphrase not to apply the built-in function EVP_BytesToKey(), but a reliable key derivation function like PBKDF2.
These variants are supported by CryptoJS, but apparently not by cCryptoGS, at least not by the wrapped functionalities.
Also note that at least the linked cCryptoGS sources seem to be based on CryptoJS version 3.1.2 which is from 2013, s. cCryptoGS sources (current CryptoJS version is 4.1.1).
I'm pretty new to the Pickle Library and JS. I am writing code in JS to interact with a Python server; when I make a POST to the Python server, I am returned a pickled float. I want to convert the float into a JS-readable object.
The server returns something like pickle.dumps(3.14159,0). When I print this value in Python, I get b'F3.14159\n.' However, the library I'm working with, JPickle, cannot interpret the 'b' in the return (or at least, that's what I'm guessing...when I try to unpickle my response using console.log(jpickle.loads(response)), I get a "unhandled opcode" error). Separate from the POST request, jpickle.loads('F3.14159\n.') gives me 3.14159, but jpickle.loads(b'F3.14159\n.') fails to compile. I'm not sure how to change the response I get from the POST because it is unreadable in JS, so I'm unsure how to go about solving this problem.
I'm open to any solutions that don't involve changing the server-side code (I don't have control over it), including using another library. I've tried JsonPickle with no luck.
Use just JSON, no pickle library required; Python comes with the json module and browser JS can, out of the box, parse json into values.
Serialize your data via something like json.dump and use JSON.parse in the browser to deserialize it.
A little late, but the answers in attached might help:: the code allows Javascript on a browser to traverse and decode compressed pickled objects coming from Python via Ajax.
Is there an already published Javascript solution to traverse Python pickled objects without using Node.js
Make sure that the mime type is allowing you to pass binary numbers.
https://docs.expo.io/versions/latest/sdk/crypto/
Info: app is in react-native & Expo
Expo now provides a hashing method but only accepts String types for input.
Nodejs provides hashing of buffers/strings/arrays and can return the hashed value as a buffer as well.
The issue I am having is that I need to hash a buffer(uint8array) in my app with sha256. So I must find a way to convert it to a string, this causes issues because if I convert the buffer to anything else ex.(hexString,base64) my hash result is not equivalent to the exact value that nodejs crypto would provide.
I have also tried converting the buffer to utf-8/16 strings but this causes issues because the chars in this format can have multiple bytes(issues with the number being above 127). So this path was incorrect as well.
My hashes must be equivalent to the traditional nodejs createHash() results.
I am hitting a wall on this issue and not not find a way around it.
I used protostuff to transform to byte array a json input i have. The code in java is:
LinkedBuffer buffer = LinkedBuffer.allocate(1024);
Schema<String> orderSchema = RuntimeSchema.getSchema(String.class);
int i = 1 ;
for(String p:poligonsStr) {
buffer.clear();
byteslist.add(ProtostuffIOUtil.toByteArray(p, orderSchema, buffer));
}
The problem is I don't know the algorithm that is used and how I can decode with the JavaScript client (Node.js). Also I saw there is a very good algorithm called Smile implemented for protostuff in project com.dyuproject.protostuff but I would like to know how to get schema with that library- I didn't manage that yet.
I would like to know what's the best to use: ProtostuffIOUtil or SmileIOUtil?
And how to use? And how to decode with JavaScript?
protostuff binary encoding is different from protobuf, and as far as I know there is no JavaScript library to decode protostuff-encoded data at the moment.
smile is not supported by web browsers out of the box, but there are libraries that can decode it.
As for me, there are two optiomal ways how you can encode data on server using Protostuff library, and decode it using JavaScript on client side:
Use protobuf encoding, it is good if size of encoded data is important. On server side, you should use ProtobufIOUtil to serialize your data to protobuf binary format. On client side, you can use https://github.com/dcodeIO/ProtoBuf.js/ to decode binary data from server.
Use JSON encoding, it is native format for JavaScript and usually it will be parsed faster than binary protobuf-encoded data. On server side, you should use JsonIOUtil (from protostuff-json module) to serialize your data to JSON text format. On client side, it is supported out of the box.
Here is an example how to serialize your POJO into protobuf binary using Protostuff: HelloService.java
I have some Java code that sends the public exponent and modulus (very, very long integer) via json to the javascript.
I need to apply RSA encryption on a text field (password) using these values in JavaScript.
I have tried many available things on net but no success yet. And I don't have SSL in the application.
Can someone please help me on this? Some sample/exact code will be a blessing.
Have you checked out http://code.google.com/p/jscryptolib/ ?
Alternatively there is another implementation here: http://www-cs-students.stanford.edu/~tjw/jsbn/
You can find a demo of the second implementation here: http://www-cs-students.stanford.edu/~tjw/jsbn/rsa.html - just view source to see how it's used