1

I am trying to encrypt a message from android then decrypt it in web.

Firstly, I generate a key using Javascript and store it in my database

var text = "";
var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";

for( var i=0; i <10; i++ )
    text += possible.charAt(Math.floor(Math.random() * possible.length));
secondaryDatabase.ref().update({
    [displayName]:text
})

Secondly, I encrypt the message in Java by retrieving the message in the input field and the key from the database.

message.setText(message);
String key = String.valueOf(dataSnapshot);
encryptedI = AESCrypt.encrypt(key,message);

For simplicity purpose, lets just take it that message is "hello world " and the key is password

String message = "hello world";
String key = "password";
encryptedI = AESCrypt.encrypt(key,message);

Thirdly, i stored the encrypted message in the database.

mRef.child(uid).child("encryptedmessage").setValue(encryptedI);

Lastly, I decrypted the message using the key both retrieved from database with Cryto-js on javascript but it returns a empty string

var decrypted = CryptoJS.AES.decrypt(message,key);
var decryptedvalue=decrypted.toString(CryptoJS.enc.Utf8)

I have checked that the key and encrypted message used is the same, I even decrypted in Java to make sure that the encryption is done correctly. I used https://github.com/scottyab/AESCrypt-Android for encryption in Android while cryto-js for decryption in javascript

The question is why does it returns a empty string and how can i solve it.

Improve this question
2
  • That is a horrible key derivation method, use PBKDF2 aka Rfc2898 and method sometimes named: Rfc2898DeriveBytes. Commented Jun 26, 2017 at 15:52
  • Just a curious question. Since Im planning to store the key in a database because of reasons, does it matters whether I used Rfc2898DeriveByte or a random generated characters? Because if somehow the 'hackers' manage to get into the database, they will be able to get the key either ways. Sorry if i am wrong, still trying to understand cryptography, quite a complicated topic for me. Commented Jun 26, 2017 at 19:29

1 Answer 1

Reset to default
3

You cannot just get two different libraries together and hope they will be compatible. Although AES in itself has been standardized, it has only has been standardized as a block cipher with three possible key sizes: AES-128, AES-192 and AES-256. To actually encrypt something you need a mode of operation and possibly padding. If you want to use a password instead of a key you need to derive a key from the password, for instance using PBKDF2.

As the two libraries you've mentioned are both weak and badly specified I strongly urge you to find two compatible password based encryption libraries for Java and JavaScript.

It should be possible to perform PBKDF2 using both Crypto-JS and Android. I would not use a standalone crypto library though, just use the functionality already available through Android. Don't forget to implement a high iteration count and make sure that the passwords used are up to par. If you want any kind of security you want to use authenticated encryption or implement that yourself using HMAC-SHA256 or similar.

As I don't know your use cases or threat model (and I'm not planning to) just see this as general hints in the right direction, not as solid security advice.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

I'm sorry I didn't know there was such a huge issue. I'm New to cryptographic so I'm just trying to get something working by combining different examples together. Regarding the key, it's just a randomly generated characters to act as the key, it is not the password of the user. I saw many examples use crypto-js so I thought it's a good library. Do you have any suggestions libraries which contain examples and maybe not so complicated?
" I'm New to cryptographic so I'm just trying to get something working by combining different examples together. " That's not a good idea; you will get something working maybe, but do you know how secure it is? "Regarding the key, it's just a randomly generated characters to act as the key, it is not the password of the user." A key should consist of fully random bytes to an adversary, not characters. "I saw many examples use crypto-js so I thought it's a good library." Unfortunately good crypto isn't determined by popular vote.
For this kind of cryptography it is almost always better to use TLS. There are just too many pitfalls for creating transport security, and that it seems is what you need.
Oh I have actually implemented SSL(Cloudfare) on my website, not sure if thats what you mean. There is a part in my project where the user will have to submit their bank no in the app for the other party to make a transaction. From what I do know is that we should not store sensitive data of user in database. Hence, i was thinking of encrypting it and store it the database, and when the other party needs it, they can simply access it through the web ( thats where the decryption comes in). Since its not exactly a payment thing, I cant use 3rd party payment page as it is not what I need.
I've added some more information. But it seems you need expert help on this one. Even if a bank account number isn't the biggest secret around, it is still very sensitive especially if you also use it for transactions.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.