Ciphertext Is Not Converting To Plain Text And Is Not Being Alerted

I am not able to decrypt a ciphertext. I have to test that my decryption is working properly or not. So, I created a simple html file which take cipher text and than convert it int

Solution 1:

I'm not familiar with CryptoJS, but... It looks like you need to move the alert before the return decrypted.toString(CryptoJS.enc.Utf8); line, as the alert won't get called once the function returns.

Also, it would be better practice to make your key and cipher text variable strings, then call it from the button passing in those variables (although you may want to store your key in the javascript, and only pass in the cipherTextString).

<scripttype="text/javascript">functiondecryptByDES(cipherTextString, keyString) {
        var keyHex = CryptoJS.enc.Utf8.parse(keyString);

        var decrypted = CryptoJS.DES.decrypt({
            ciphertext: CryptoJS.enc.Base64.parse(cipherTextString)
        }, keyHex, {
            mode: CryptoJS.mode.ECB,
            padding: CryptoJS.pad.Pkcs7
        });

        var decryptedStringified = decrypted.toString(CryptoJS.enc.Utf8);

        alert(decryptedStringified);

        return decryptedStringified;
    }
</script>

And then call it from your button, passing in the correct variables:

<buttononclick="decryptByDES('aHJHDJSHJhjsak=', 'highishjdhsjhjs');">View</button>

Solution 2:

If you want to hardcode a key, then you can do many things, but all of them should involve some kind of code obfuscation, because a client might just open the developer tools and read the key.

Ways to hardcode the key, here are two simple ways that don't leak the key to the global object ...

1. In the local scope of the function that does the encryption/decryption

   functiondecryptByDES(cipherTextString) {
       var keyHex = CryptoJS.enc.Utf8.parse("mykeystring12345");
       var decrypted = CryptoJS.DES.decrypt({
       //...
   }
   

2. In an wrapper scope (here used in an IIFE), but not in global scope

   (function(){
       var keyHex = CryptoJS.enc.Utf8.parse("mykeystring12345");
       functiondecryptByDES(cipherTextString) {
           var decrypted = CryptoJS.DES.decrypt({
           //...
       }
   })();
   

A few things to note:

• If you hardcode the key, then this doesn't provide any real security if the file the key is in is transmitted insecurely. You definitely need HTTPS, but if you have HTTPS you likely don't need the encryption provided by CryptoJS. (Ref)

• DES supports only one key size of exactly 8 bytes. If you cannot supply keys (which should look like random noise), then you're probably supplying a password, which does not need to have this specific length requirements. Since passwords cannot be used as keys, you will need to derive a key from that password. CryptoJS supports PBKDF2 for that. If you're supplying a key that does not have the required size, then you will get strange results, but don't expect an error from CryptoJS.

• Don't use DES nowadays. It only provides 56 bit of security. AES would be a much better, because it's more secure with the lowest key size of 128 bit. There is also a practical limit on the maximum ciphertext size with DES. See Security comparison of 3DES and AES.

• Never use ECB mode. It's deterministic and therefore not semantically secure. You should at the very least use a randomized mode like CBC or CTR. It is better to authenticate your ciphertexts so that attacks like a padding oracle attack are not possible. This can be done with authenticated modes like GCM or EAX, or with an encrypt-then-MAC scheme.