1

I want to encrypt a message by php but at client side, I want javascript to decrypt it. I had tried Blowfish(using mcrypt ), but I discovered that php echoing non-alpha-numberic character and Javascript display alpha-numeric. I am using ajax so that the page will not reload.

I had tested codes from http://aam.ugpl.de/?q=node/1060 and http://www.php-einfach.de/blowfish_en.php#ausgabe.

Any help is appreciated.

Edit: I use Diffie-Hellman to calculate secret key with random generated number a and b. Below is the resulted from php code

class Encryption
{
const CYPHER = 'blowfish';
const MODE   = 'cbc';
const KEY    = '26854571066639171754759502724211797107457520821';

public function encrypt($plaintext)
{
    $td = mcrypt_module_open(self::CYPHER, '', self::MODE, '');
    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    mcrypt_generic_init($td, self::KEY, $iv);
    $crypttext = mcrypt_generic($td, $plaintext);
    mcrypt_generic_deinit($td);
    return $iv.$crypttext;
}

public function decrypt($crypttext)
{
    $plaintext = '';
    $td        = mcrypt_module_open(self::CYPHER, '', self::MODE, '');
    $ivsize    = mcrypt_enc_get_iv_size($td);
    $iv        = substr($crypttext, 0, $ivsize);
    $crypttext = substr($crypttext, $ivsize);
    if ($iv)
    {
        mcrypt_generic_init($td, self::KEY, $iv);
        $plaintext = mdecrypt_generic($td, $crypttext);
    }
    return $plaintext;
}
}

$encrypted_string = Encryption::encrypt('this is a test');
$decrypted_string = Encryption::decrypt($encrypted_string);

echo "encrypted: $encrypted_string<br>";
echo "decrypted: $decrypted_string<br>";

encrypted: µ˜?r_¿ÖŸŒúw‰1‹Žn!úaH 
decrypted: this is a test
Improve this question
4
  • 6
    Why do you need to do that? If it's for transport security you must use HTTPS since you otherwise transfer the keys over the same wire so an attacker could easily decrypt your data. If you want to prevent users from seeing the data e.g. with Firebug: If someone wants to see it, he will. Commented Dec 10, 2011 at 11:49
  • What is the use of this? Anyone is able to fetch the key used to decrypt it. Commented Dec 10, 2011 at 11:50
  • The OP did not say s/he is going to transfer the key over the wire. If it is distributed alternatively, such as through email after user sign-up, this could work, though it is certainly not 100% secure... Commented Dec 10, 2011 at 13:39
  • actually I didnt transfered the key, I use Diffie-Hellman to get secret key Commented Dec 10, 2011 at 14:48

1 Answer 1

Reset to default
3

This javascript AES crypto library from a few stanford students is the best I've seen:

http://crypto.stanford.edu/sjcl/

But note their caveat:

We believe that SJCL provides the best security which is practically available in Javascript. (Unfortunately, this is not as great as in desktop applications because it is not feasible to completely protect against code injection, malicious servers and side-channel attacks.)

UPDATE:

In PHP, use base64_encode() after encrypting and base64_decode() before decrypting. This way it will be rendered with characters safe for transmission. In the browser, use atob() and btoa().

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Great link, thanks. But at server side, PHP is echoing strange symbol which I think javascript cannot decrypt it using SJCL.
if your problem is with PHP, you need to post the relevant code so we can see what this symbol is and what can be done to help you...
I am sorry for late respond, I really had something to do until just now. I post the code for server side
I tried as you said but no luck. Using atob() before decrypting it in Javascript just make the Javascript decrypt the original non-alphanumeric character. At aam.ugpl.de/?q=node/1060 , encrypting "this is a test" with password "26854571066639171754759502724211797107457520821" gives "AD5FB495D6DF5865858B784CE198E51F" which is in hexadecimal if I'm correct but mcrypt give "µ˜?r_¿ÖŸŒúw‰1‹Žn!úaH" which is totally different...please help me
post client-side javascript decryption code, because I can't really understand that link, as it seems to be in German. base64 encoding (on the server) is just so you can transmit the data safely over the wire. In JS, you then unencode before decrypting. Your problem is perhaps with how you're decrypting. Are you using all of the same parameters when decrypting in JS?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.