Nodejs AES-256-GCM decrypt the encrypted client message by webcrypto api - node.js

I've Encrypted my text by a key in Client by AES-256-GCM algorithm and I can decrypt it in Client, But when I send it to the Backend which has a SharedKey(the same as the Client has), it can decrypt the message by AES-256-CTR algorithm(I used this algo because the AES-256-GCM in Nodejs needs authTag that I don't create it in Client and iv is the only thing I have).
When I decrypt the message on the Backend side, it works with no error, but the result is not what I encrypted in the Client
Here is what I wrote:
Client:
async function encrypt(text: string) {
const encodedText = new TextEncoder().encode(text);
const aesKey = await generateAesKey();
const iv = window.crypto.getRandomValues(
new Uint8Array(SERVER_ENCRYPTION_IV_LENGTH)
);
const encrypted = await window.crypto.subtle.encrypt(
{
name: 'AES-GCM',
iv,
},
aesKey,
encodedText
);
const concatenatedData = new Uint8Array(
iv.byteLength + encrypted.byteLength
);
concatenatedData.set(iv);
concatenatedData.set(new Uint8Array(encrypted), iv.byteLength);
return arrayBufferToBase64(concatenatedData),
}
Backend:
export function decrypt(sharedKey: string, message: string) {
const messageBuffer = new Uint8Array(base64ToArrayBuffer(message));
const iv = messageBuffer.subarray(0, 16);
const data = messageBuffer.subarray(16);
const decipher = crypto.createDecipheriv(
'aes-256-ctr',
Buffer.from(sharedKey, 'base64'),
iv
);
const decrypted =
decipher.update(data, 'binary', 'hex') + decipher.final('hex');
return Buffer.from(decrypted, 'hex').toString('base64');
}
Sample usage:
const encrypted = encrypt("Hi Everybody");
// send the encrypted message to the server
// Response is: Ô\tp\x8F\x03$\f\x91m\x8B B\x1CkQPQ=\x85\x97\x8AêsÌG0¸Ê

Since GCM is based on CTR, decryption with CTR is in principle also possible. However, this should generally not be done in practice, since it skips the authentication of the ciphertext, which is the added value of GCM over CTR.
The correct way is to decrypt on the NodeJS side with GCM and properly consider the authentication tag.
The authentication tag is automatically appended to the ciphertext by the WebCrypto API, while the crypto module of NodeJS handles ciphertext and tag separately. Therefore, not only the nonce but also the authentication tag must be separated on the NodeJS side.
The following JavaScript/WebCrypto code demonstrates the encryption:
(async () => {
var nonce = crypto.getRandomValues(new Uint8Array(12));
var plaintext = 'The quick brown fox jumps over the lazy dog';
var plaintextEncoded = new TextEncoder().encode(plaintext);
var aesKey = base64ToArrayBuffer('a068Sk+PXECrysAIN+fEGDzMQ3xlpWgE1bWXHVLb0AQ=');
var aesCryptoKey = await crypto.subtle.importKey('raw', aesKey, 'AES-GCM', true, ['encrypt', 'decrypt']);
var ciphertextTag = await crypto.subtle.encrypt({name: 'AES-GCM', iv: nonce}, aesCryptoKey, plaintextEncoded);
ciphertextTag = new Uint8Array(ciphertextTag);
var nonceCiphertextTag = new Uint8Array(nonce.length + ciphertextTag.length);
nonceCiphertextTag.set(nonce);
nonceCiphertextTag.set(ciphertextTag, nonce.length);
nonceCiphertextTag = arrayBufferToBase64(nonceCiphertextTag.buffer);
document.getElementById("nonceCiphertextTag").innerHTML = nonceCiphertextTag; // ihAdhr6595oyQ3koj52cnZp7VeB1fzWuY1v7vqFdSQGxK0VQxIXUegB1mVG4rC5Aymij7bQ9rmnFWbpo7C2znN4ROnnChB0=
})();
// Helper
// https://stackoverflow.com/a/9458996/9014097
function arrayBufferToBase64(buffer){
var binary = '';
var bytes = new Uint8Array(buffer);
var len = bytes.byteLength;
for (var i = 0; i < len; i++) {
binary += String.fromCharCode(bytes[i]);
}
return window.btoa(binary);
}
// https://stackoverflow.com/a/21797381/9014097
function base64ToArrayBuffer(base64) {
var binary_string = window.atob(base64);
var len = binary_string.length;
var bytes = new Uint8Array(len);
for (var i = 0; i < len; i++) {
bytes[i] = binary_string.charCodeAt(i);
}
return bytes.buffer;
}
<p style="font-family:'Courier New', monospace;" id="nonceCiphertextTag"></p>
This code is basically the same as your code, with some changes needed because of methods you didn't post like generateAesKey() or arrayBufferToBase64().
Example output:
ihAdhr6595oyQ3koj52cnZp7VeB1fzWuY1v7vqFdSQGxK0VQxIXUegB1mVG4rC5Aymij7bQ9rmnFWbpo7C2znN4ROnnChB0=
The following NodeJS/crypto code demonstrates the decryption. Note the tag separation and explicit passing with setAuthTag():
var crypto = require('crypto');
function decrypt(key, nonceCiphertextTag) {
key = Buffer.from(key, 'base64');
nonceCiphertextTag = Buffer.from(nonceCiphertextTag, 'base64');
var nonce = nonceCiphertextTag.slice(0, 12);
var ciphertext = nonceCiphertextTag.slice(12, -16);
var tag = nonceCiphertextTag.slice(-16); // Separate tag!
var decipher = crypto.createDecipheriv('aes-256-gcm', key, nonce);
decipher.setAuthTag(tag); // Set tag!
var decrypted = decipher.update(ciphertext, '', 'utf8') + decipher.final('utf8');
return decrypted;
}
var nonceCiphertextTag = 'ihAdhr6595oyQ3koj52cnZp7VeB1fzWuY1v7vqFdSQGxK0VQxIXUegB1mVG4rC5Aymij7bQ9rmnFWbpo7C2znN4ROnnChB0=';
var key = 'a068Sk+PXECrysAIN+fEGDzMQ3xlpWgE1bWXHVLb0AQ=';
var decrypted = decrypt(key, nonceCiphertextTag);
console.log(decrypted);
Output:
The quick brown fox jumps over the lazy dog
For completeness: Decryption of a GCM ciphertext with CTR is also possible by appending 4 bytes to the 12 bytes nonce (0x00000002). For other nonce sizes the relation is more complex, see e.g. Relationship between AES GCM and AES CTR. However, as already said, this should not be done in practice, since it bypasses the authentication of the ciphertext and is thus insecure.

Related

NodeJS AESCFB + pkcs7 padding decryption

I'm trying to port the following Go functions to nodeJS using crypt or crypt-js but i'm having issues trying to figure out what's wrong:
The Go encryption code is available at https://go.dev/play/p/O88Bslwd-qh ( both encrypt and decrypt work)
The current nodejs implementation is:
var decryptKey= "93D87FF936DAB334C2B3CC771C9DC833B517920683C63971AA36EBC3F2A83C24";
const crypto = require('crypto');
const algorithm = 'aes-256-cfb';
const BLOCK_SIZE = 16;
var message = "8a0f6b165236391ac081f5c614265b280f84df882fb6ee14dd8b0f7020962fdd"
function encryptText(keyStr, text) {
const hash = crypto.createHash('sha256');
//Decode hex key
keyStr = Buffer.from(keyStr, "hex")
hash.update(keyStr);
const keyBytes = hash.digest();
const iv = crypto.randomBytes(BLOCK_SIZE);
const cipher = crypto.createCipheriv(algorithm, keyBytes, iv);
cipher.setAutoPadding(true);
let enc = [iv, cipher.update(text,'latin1')];
enc.push(cipher.final());
return Buffer.concat(enc).toString('hex');
}
function decryptText(keyStr, text) {
const hash = crypto.createHash('sha256');
//Decode hex key
keyStr = Buffer.from(keyStr, "hex")
hash.update(keyStr);
const keyBytes = hash.digest();
const contents = Buffer.from(text, 'hex');
const iv = contents.slice(0, BLOCK_SIZE);
const textBytes = contents.slice(BLOCK_SIZE);
const decipher = crypto.createDecipheriv(algorithm, keyBytes, iv);
decipher.setAutoPadding(true);
let res = decipher.update(textBytes,'latin1');
res += decipher.final('latin1');
return res;
}
console.log(message)
result = decryptText(decryptKey,message);
console.log(result);
message = encryptText(decryptKey,'hola').toString();
console.log(message)
result = decryptText(decryptKey,message);
console.log(result);
Any idea why it is not working as expected?
Note: I know that padding is not required with cfb but i can't modify the encryption code, it just for reference.
I don't know Go or the specifics of aes.NewCipher(key), but from its documentation it doesn't look like it's hashing the key in any way. The Go code you're linking to also doesn't hash it, so I'm not sure why you're hashing it in the Node.js code.
This should be sufficient:
function encryptText(keyStr, text) {
const keyBytes = Buffer.from(keyStr, "hex")
…
}
function decryptText(keyStr, text) {
const keyBytes = Buffer.from(keyStr, 'hex');
…
}
As an aside: it looks like you may be encrypting JSON blocks with these functions. If so, I would suggest not using any encoding (like latin1) during the encryption/decryption process, given that JSON text must be encoded using UTF-8.

Node Crypto Error - wrong final block length

I am getting an error when decrypting a response using crypto that i don't understand Error: error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length
I'm decrypting a response that looks like this 'p6\u001e�s�p>l?a%ޟ�=~m�\u0002D�K(�[<\u0007O�6\u001c�a�[sP�=\u00112\u001d�)n�Ⴓ?, i've shortened it for brevity. The end result is that it should be a JSON object
My code is as follows
const crypto = require('crypto');
const secret = "mysecret";
const algorithm = 'aes-128-cbc';
function decryptAES(message) {
const bytes = Buffer.from(message);
const salt = bytes.slice(bytes.length - 8);
const key = crypto.pbkdf2Sync(secret, salt, 10000, 16, 'sha1');
const iv = bytes.slice(bytes.length - 24, bytes.length - 8);
const data = bytes.slice(0, bytes.length - 24);
const decipher = crypto.createDecipheriv(algorithm, key, iv);
let decrpyted = decipher.update(data, 'hex', 'utf8');
decrpyted = Buffer.concat([decrpyted, decipher.final('utf8')])
console.log(decrpyted.toString());
}
What could I be doing wrong and what does the error message mean?
Update
From looking at how the data is encrypted the other side I can see that they are using PKCS7Padding. In my decryption code I am not specifying this. Can this be done with crypto?

node.js randomBytes() issue - use crypto to encrypt and decrypt data

I'm learning how to use the crypto module of node.js to encrypt and decrypt data. I've readed this article and this other article, they will explain how to do the same thing but in a different way. I've read in the first article that there is an issue with randomBytes() but it's dated 2017 and maybe it's foxed in node 15. Since I want to pass a custom user password for the encryption key, can I use the sha256 to hash the password and pass it for encryption? Something like
import crypto from 'crypto'
ipcMain.on('encryptMessage', (event, data) => {
let iv = crypto.randomBytes(16).toString('hex'); //I'm not sure if the string conversion is needed?
let key = crypto.createHash('sha256')
.update(data.password)
.digest(); // If I understand digest will provide an human readable hash?
//encryption code here
});
Will be this ok for the encryption process, the password will be ok if hashed to be lenght almost 32 char?
Below you find a simple program that does a complete encryption - decryption using AES in CBC mode with a 32 byte long key derived from a passphrase with PBKDF2.
As the program is used within a cross platform project the output looks strange and you can adjust it to your needs. It runs on Node 12 without any problems, see it running in an online compiler here: https://repl.it/#javacrypto/CpcNodeJsCryptoAesCbc256Pbkdf2StringEncryptionFull#index.js
The issue in the linked article was a Node 5->6 migration issue.
Security warning: the program has no exception handling and should be used for educational purpose only.
This is the output:
AES CBC 256 String encryption with PBKDF2 derived key
plaintext: The quick brown fox jumps over the lazy dog
* * * Encryption * * *
ciphertext (Base64): VUH/MSEjdMOeLySYoVbQaaA30EVioZ9CXUXUDX69LG0=:kkz49Z23b0Q+D9LX1FHzaA==:VDWsYRpRmC5i2OyiMlBQLIzw2cW2Kdp2kxZKNzh/5vNcbCdMdEGInDoT7VIUCzzj
output is (Base64) salt : (Base64) iv : (Base64) ciphertext
* * * Decryption * * *
ciphertext (Base64): VUH/MSEjdMOeLySYoVbQaaA30EVioZ9CXUXUDX69LG0=:kkz49Z23b0Q+D9LX1FHzaA==:VDWsYRpRmC5i2OyiMlBQLIzw2cW2Kdp2kxZKNzh/5vNcbCdMdEGInDoT7VIUCzzj
input is (Base64) salt : (Base64) iv : (Base64) ciphertext
plaintext: The quick brown fox jumps over the lazy dog
code:
var crypto = require('crypto');
console.log('AES CBC 256 String encryption with PBKDF2 derived key');
var plaintext = 'The quick brown fox jumps over the lazy dog';
console.log('plaintext: ', plaintext);
var password = "secret password";
console.log('\n* * * Encryption * * *');
var ciphertextBase64 = aesCbcPbkdf2EncryptToBase64(password, plaintext);
console.log('ciphertext (Base64): ' + ciphertextBase64);
console.log('output is (Base64) salt : (Base64) iv : (Base64) ciphertext');
console.log('\n* * * Decryption * * *');
var ciphertextDecryptionBase64 = ciphertextBase64;
console.log('ciphertext (Base64): ', ciphertextDecryptionBase64);
console.log('input is (Base64) salt : (Base64) iv : (Base64) ciphertext');
var decryptedtext = aesCbcPbkdf2DecryptFromBase64(password, ciphertextBase64);
console.log('plaintext: ', decryptedtext);
function aesCbcPbkdf2EncryptToBase64(password, data) {
var PBKDF2_ITERATIONS = 15000;
var salt = generateSalt32Byte();
var key = crypto.pbkdf2Sync(password, salt, PBKDF2_ITERATIONS, 32, 'sha256');
var iv = generateRandomInitvector();
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
let encryptedBase64 = '';
cipher.setEncoding('base64');
cipher.on('data', (chunk) => encryptedBase64 += chunk);
cipher.on('end', () => {
// do nothing console.log(encryptedBase64);
// Prints: some clear text data
});
cipher.write(data);
cipher.end();
var saltBase64 = base64Encoding(salt);
var ivBase64 = base64Encoding(iv);
return saltBase64 + ':' + ivBase64 + ':' + encryptedBase64;
}
function aesCbcPbkdf2DecryptFromBase64(password, data) {
var PBKDF2_ITERATIONS = 15000;
var dataSplit = data.split(":");
var salt = base64Decoding(dataSplit[0]);
var key = crypto.pbkdf2Sync(password, salt, PBKDF2_ITERATIONS, 32, 'sha256');
var iv = base64Decoding(dataSplit[1]);
var ciphertext = dataSplit[2];
const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);
let decrypted = '';
decipher.on('readable', () => {
while (null !== (chunk = decipher.read())) {
decrypted += chunk.toString('utf8');
}
});
decipher.on('end', () => {
// do nothing console.log(decrypted);
});
decipher.write(ciphertext, 'base64');
decipher.end();
return decrypted;
}
function generateSalt32Byte() {
return crypto.randomBytes(32);
}
function generateRandomInitvector() {
return crypto.randomBytes(16);
}
function base64Encoding(input) {
return input.toString('base64');
}
function base64Decoding(input) {
return Buffer.from(input, 'base64')
}

Node.js: Getting Invalid RSAES-OAEP padding when trying to decrypt an encrypted symmetric key

I have a usecase where I want to encrypt my data first with a symmetric key and then encrypt the symmetric key with the client's public key. I tried to mock the scenario, but getting 'Invalid RSAES-OAEP padding' error.
Code:
var forge = require('node-forge');
var _crypto = require('crypto');
var rsa = forge.pki.rsa;
var masterKey = _crypto.randomBytes(32);
var keypair = rsa.generateKeyPair(2048);
var encryptedVal = keypair.publicKey.encrypt(masterKey, 'RSA-OAEP');
var decryptedVal = keypair.privateKey.decrypt(encryptedVal, 'RSA-OAEP');
console.log(masterKey,decryptedVal)
Do I have to convert the symmetric key format before encrypting it? And if yes, to what?
masterKey is a Buffer. You need to convert it to bytes so forge can use it
Try this function (I didn't test it...)
function toBytes(buf) {
var byteString = '';
for (var i = 0; i < buf.length; ++i) {
byteString += String.fromCodePoint(buf[i]);
}
return byteString;
}
Usage
var masterKey = toBytes(_crypto.randomBytes(32));

"Unsupported state or unable to authenticate data" with aes-128-gcm in Node

I'm trying to implement encrypt/decrypt functions using aes-128-gcm as provided by node crypto. From my understanding, gcm encrypts the ciphertext but also hashes it and provides this as an 'authentication tag'. However, I keep getting the error: "Unsupported state or unable to authenticate data".
I'm not sure if this is an error in my code - looking at the encrypted ciphertext and auth tag, the one being fetched by the decrypt function is the same as the one produced by the encrypt function.
function encrypt(plaintext) {
// IV is being generated for each encryption
var iv = crypto.randomBytes(12),
cipher = crypto.createCipheriv(aes,key,iv),
encryptedData = cipher.update(plaintext),
tag;
// Cipher.final has been called, so no more encryption/updates can take place
encryptedData += cipher.final();
// Auth tag must be generated after cipher.final()
tag = cipher.getAuthTag();
return encryptedData + "$$" + tag.toString('hex') + "$$" + iv.toString('hex');
}
function decrypt(ciphertext) {
var cipherSplit = ciphertext.split("$$"),
text = cipherSplit[0],
tag = Buffer.from(cipherSplit[1], 'hex'),
iv = Buffer.from(cipherSplit[2], 'hex'),
decipher = crypto.createDecipheriv(aes,key,iv);
decipher.setAuthTag(tag);
var decryptedData = decipher.update(text);
decryptedData += decipher.final();
}
The error is being thrown by decipher.final().
In case if someone still tries to get a working example of encryption and decryption process.
I've left some comments that should be taken into consideration.
import * as crypto from 'crypto';
const textToEncode = 'some secret text'; // utf-8
const algo = 'aes-128-gcm';
// Key bytes length depends on algorithm being used:
// 'aes-128-gcm' = 16 bytes
// 'aes-192-gcm' = 24 bytes
// 'aes-256-gcm' = 32 bytes
const key = crypto.randomBytes(16);
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv(algo, key, iv);
const encrypted = Buffer.concat([
cipher.update(Buffer.from(textToEncode, 'utf-8')),
cipher.final(),
]);
const authTag = cipher.getAuthTag();
console.info('Value encrypted', {
valueToEncrypt: textToEncode,
encryptedValue: encrypted.toString('hex'),
authTag: authTag.toString('hex'),
});
// It's important to use the same authTag and IV that were used during encoding
const decipher = crypto.createDecipheriv(algo, key, iv);
decipher.setAuthTag(authTag);
const decrypted = Buffer.concat([
decipher.update(encrypted),
decipher.final(),
]);
console.info('Value decrypted', {
valueToDecrypt: encrypted.toString('hex'),
decryptedValue: decrypted.toString('utf-8'),
});
I managed to fix this: the issue was that I wasn't specifying an encoding type for cipher.final() and I was returning it within a String, so it wasn't returning a Buffer object, which decipher.final() was expecting.
To fix, I add 'utf-8' to 'hex' encoding parameters within my cipher.update and cipher.final, and vice versa in decipher.
Edited to add code example - note this is from 2018, so may be outdated now.
function encrypt(plaintext) {
// IV is being generated for each encryption
var iv = crypto.randomBytes(12),
cipher = crypto.createCipheriv(aes,key,iv),
encryptedData = cipher.update(plaintext, 'utf-8', 'hex'),
tag;
// Cipher.final has been called, so no more encryption/updates can take place
encryptedData += cipher.final('hex');
// Auth tag must be generated after cipher.final()
tag = cipher.getAuthTag();
return encryptedData + "$$" + tag.toString('hex') + "$$" + iv.toString('hex');
}
function decrypt(ciphertext) {
var cipherSplit = ciphertext.split("$$"),
text = cipherSplit[0],
tag = Buffer.from(cipherSplit[1], 'hex'),
iv = Buffer.from(cipherSplit[2], 'hex'),
decipher = crypto.createDecipheriv(aes, key, iv);
decipher.setAuthTag(tag);
var decryptedData = decipher.update(text, 'hex', 'utf-8');
decryptedData += decipher.final('utf-8');
}

Resources