1

We are dealing with a 3rd party who run a Java API. They deal in online banking/finance etc, and one requirement from their side is that sensitive data is encrypted in the browser prior to being sent to our server. (From our server, the data is sent on to theirs, untouched aside from very basic validation). We have no way to change this requirement.

Our client is an HTML5 website that needs to be able to encrypt certain sensitive submitted form data while leaving other parts as plain text (so no to JCryption)

I've read up many S.O. threads where people have ideas but no solutions.

As a starting point, we have the Java that will decrypt the incoming JS string, using the BouncyCastle jar:

/**
 * Decrypt text using private key.
 *
 * @param toBeDecrypted encrypted text
 * @param key the private key
 * @return the unencrypted value
 */
public String decrypt(String toBeDecrypted, PrivateKey key) throws GeneralSecurityException {
    // Local variables
    byte[] dectyptedText;
    final Cipher cipher;

    dectyptedText = null;
    // get an RSA cipher object and print the provider
    cipher = Cipher.getInstance(ALGORITHM_CIPHER);

    // decrypt the text using the private key
    cipher.init(Cipher.DECRYPT_MODE, key);
    dectyptedText = cipher.doFinal(Base64.decodeBase64(toBeDecrypted.getBytes()));

    return new String(dectyptedText);
}

I've tried multiple JavaScript libraries with poor results (using/downloading their demo pages) swapping in my own public/private PEM files, all of the following libraries can encrypt and decrypt strings, but those encrypted strings are not decrypted by the above Java code.

I've tried:

all without success.

Can anyone point me to a working example of JS encryption being decrypted by Java?

(as an aside, yes, our team knows about JS's unsuitablity for encryption. However this is one more step in a complex security setup, even if it does amount to only a small step)

Improve this question
2
  • Please show what you have tried. You probably did the padding wrong. Try forge if you have given up on those libraries. Commented Jan 20, 2015 at 12:38
  • Thanks - I am almost 100% certain that it is padding. But.. without hectic JS editing I am unable to change padding in these libraries - I just don't have the knowledge. I'll give forge a go now. Commented Jan 20, 2015 at 13:17

1 Answer 1

Reset to default
1

So it seems to have been the public key all along. It is pretty delicate, I was using a PEM file that was supplied to me. Along the way it seems it got HTML encoded, which meant it does not work.

Using JSEncrypt this works for us - and can be decrypted by the above Java

var rsa = new JSEncrypt();
rsa.setPublicKey(rsaPublicKey);
return rsa.encrypt(input);
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

The JSEncrypt library is using "www-cs-students.stanford.edu/~tjw/jsbn" one underneath. So probably with a base64 conversion(that is the difference that I saw in JSEncrypt), the Stanford version should also work.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.