Encrypt in Lucee / Decrypt in Javascript using aes.js

I’m submitting a request using jQueries $.ajax. As a result, I return an encrypted String using Lucee’s Encrypt function like so (from Lucees reference page):

<cfset encryptedString = Encrypt(“myTestString”,key,“AES”,“base64”) />
#encryptedString#

Now on the client side, I want to DECRYPT that string using the crypto-js library from code.google.com/p/crypto-js. Unfortunately I’ve not been successfull to get the decrypted key in Javascript…
I’ve tried things like
CryptoJS.AES.decrypt(returnedEncryptedKey, ‘MTIzNDU2NzgxMjM0NTY3OA==’);
But never got the original string back… Has anybody managed to do this?

Cryto-JS uses CBC-Mode as default, while Lucee using ECB.
You need to change to mode and than it works.

Example:

<cfset encryptKeyClear = "TestTestTestTest" />
<cfset encryptKey = tobase64(encryptKeyClear) />

<cfset encryptContent = encrypt("TestString", encryptKey, "AES", "Base64") />
<cfdump var="#encryptContent#" label="Content" />

<cfset decryptContent = decrypt(encryptContent, encryptKey, "AES", "Base64") />
<cfdump var="#decryptContent#" label="Decode-Content"/>

<cfoutput>
  <script src="crypto-js-3.1.9-1/crypto-js.js"></script>
  <script>
    let encryptContent = '#encryptContent#';
    let encryptKey = CryptoJS.enc.Base64.parse('#encryptKey#');
    console.log('Content', encryptContent);
    let decryptBytes = CryptoJS.AES.decrypt(encryptContent, encryptKey, {
      mode: CryptoJS.mode.ECB
    });
    console.log('Decode-Content', decryptBytes.toString(CryptoJS.enc.Utf8));
  </script>
</cfoutput>

Just for my pure of interest, why do you want to encrypt and decrypt directly after that ajax-request?
When you are using a SSL-Connection the data is already transferred encrypted.

1 Like

Thanks David; got it working!
Actually, I was using only “aes.js” from code.google.com/p/crypto-js.
I was googling around and downloaded now all the stuff now from https://github.com/cdnjs/cdnjs/tree/master/ajax/libs/crypto-js/3.1.9 => ist that the right library?.. Do I need the complete “crypto-js.js”? This is actually 129KB (or 47KB minified). I think, in the “crypto-js.js” is just everything. But I only need some of the functionality, right?

BTW - for your interest… I want to use that in an e-commerce application just to make code analyzing a bit more complicated; to make the data sent to the browser not that readable (in cleartext) in the dev-tools by the user itself…

I guess that is the current Repo: https://github.com/brix/crypto-js
No you dont need to full library. It should be enough to only include aes.js and enc-base64.js.

Mhh okay i understand, but js-variables can seen also be seen in the dev tools… I personally would not send data to the user, which i dont want to show the user.

Unfortunately, it needs more than aes.js and enc-base.js. Also tried “core.js”, but always get an Javascript-error… :frowning:
At the end, Javascript ist minified and scrambled as well, so the user has to do a bit more effort to get to the data (if he wants)… Actually, the data sent back is not that confident, but if it’s encryptet, it looks better :slight_smile:

Try this one (make sure the order is correct), if you dont want to use the full library.
Its 64kb instead of 188kb.

    <script src="crypto-js-3.1.9-1/core.js"></script>
    <script src="crypto-js-3.1.9-1/enc-base64.js"></script>
    <script src="crypto-js-3.1.9-1/cipher-core.js"></script>
    <script src="crypto-js-3.1.9-1/mode-ecb.js"></script>
    <script src="crypto-js-3.1.9-1/aes.js"></script>

I did not mean that the user can see the variables in the source-code which is minified and scrambled.
The user can simply dump all variables in the js-console.

great - works fine!
and yes, you’re right about the variables; but he has to be a bit “more expierienced”… :slight_smile:
anyway - thanks a log David!

BTW, you can, and you should use CBC mode with CFML’s encrypt() function by passing the algorithm as AES/CBC/PKCS5Padding

CBC mode provides better security and is more performant.

Pete Freitag
Foundeo Inc.

2 Likes