I’m submitting a request using jQueries $.ajax. As a result, I return an encrypted String using Lucee’s Encrypt function like so (from Lucees reference page):
<cfset encryptedString = Encrypt(“myTestString”,key,“AES”,“base64”) />
#encryptedString#
Now on the client side, I want to DECRYPT that string using the crypto-js library from Google Code Archive - Long-term storage for Google Code Project Hosting.. Unfortunately I’ve not been successfull to get the decrypted key in Javascript…
I’ve tried things like
CryptoJS.AES.decrypt(returnedEncryptedKey, ‘MTIzNDU2NzgxMjM0NTY3OA==’);
But never got the original string back… Has anybody managed to do this?
Cryto-JS uses CBC-Mode as default, while Lucee using ECB.
You need to change to mode and than it works.
Example:
<cfset encryptKeyClear = "TestTestTestTest" />
<cfset encryptKey = tobase64(encryptKeyClear) />
<cfset encryptContent = encrypt("TestString", encryptKey, "AES", "Base64") />
<cfdump var="#encryptContent#" label="Content" />
<cfset decryptContent = decrypt(encryptContent, encryptKey, "AES", "Base64") />
<cfdump var="#decryptContent#" label="Decode-Content"/>
<cfoutput>
<script src="crypto-js-3.1.9-1/crypto-js.js"></script>
<script>
let encryptContent = '#encryptContent#';
let encryptKey = CryptoJS.enc.Base64.parse('#encryptKey#');
console.log('Content', encryptContent);
let decryptBytes = CryptoJS.AES.decrypt(encryptContent, encryptKey, {
mode: CryptoJS.mode.ECB
});
console.log('Decode-Content', decryptBytes.toString(CryptoJS.enc.Utf8));
</script>
</cfoutput>
Just for my pure of interest, why do you want to encrypt and decrypt directly after that ajax-request?
When you are using a SSL-Connection the data is already transferred encrypted.
1 Like
Thanks David; got it working!
Actually, I was using only “aes.js” from Google Code Archive - Long-term storage for Google Code Project Hosting..
I was googling around and downloaded now all the stuff now from cdnjs/ajax/libs/crypto-js/3.1.9 at master · cdnjs/cdnjs · GitHub => ist that the right library?.. Do I need the complete “crypto-js.js”? This is actually 129KB (or 47KB minified). I think, in the “crypto-js.js” is just everything. But I only need some of the functionality, right?
BTW - for your interest… I want to use that in an e-commerce application just to make code analyzing a bit more complicated; to make the data sent to the browser not that readable (in cleartext) in the dev-tools by the user itself…
I guess that is the current Repo: GitHub - brix/crypto-js: JavaScript library of crypto standards.
No you dont need to full library. It should be enough to only include aes.js and enc-base64.js.
Mhh okay i understand, but js-variables can seen also be seen in the dev tools… I personally would not send data to the user, which i dont want to show the user.
Unfortunately, it needs more than aes.js and enc-base.js. Also tried “core.js”, but always get an Javascript-error… 
At the end, Javascript ist minified and scrambled as well, so the user has to do a bit more effort to get to the data (if he wants)… Actually, the data sent back is not that confident, but if it’s encryptet, it looks better 
Try this one (make sure the order is correct), if you dont want to use the full library.
Its 64kb instead of 188kb.
<script src="crypto-js-3.1.9-1/core.js"></script>
<script src="crypto-js-3.1.9-1/enc-base64.js"></script>
<script src="crypto-js-3.1.9-1/cipher-core.js"></script>
<script src="crypto-js-3.1.9-1/mode-ecb.js"></script>
<script src="crypto-js-3.1.9-1/aes.js"></script>
I did not mean that the user can see the variables in the source-code which is minified and scrambled.
The user can simply dump all variables in the js-console.
great - works fine!
and yes, you’re right about the variables; but he has to be a bit “more expierienced”…
anyway - thanks a log David!
BTW, you can, and you should use CBC mode with CFML’s encrypt() function by passing the algorithm as AES/CBC/PKCS5Padding
CBC mode provides better security and is more performant.
Pete Freitag
Foundeo Inc.
2 Likes