Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>There seem to be two issues:</p> <ol> <li><p>CryptoJS is not using your variable as the <code>key</code>. As @Miguel-F mentioned, when you pass in a string, <a href="https://code.google.com/p/crypto-js/#The_Cipher_Input" rel="nofollow">"it's treated as a passphrase and used to derive [the] actual key and IV"</a>. Both are randomly generated, which is why your encrypted result keeps changing. But more importantly, this means that CryptoJS is using a completely different <code>key</code> than the one in your CF code and that is why decrypt() fails. (At least it is part of the reason ...)</p></li> <li><p>The second problem is that in addition to the algorithm "AES", there are two other encryption settings which must match: <a href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation" rel="nofollow">mode</a> and <a href="http://en.wikipedia.org/wiki/Padding_%28cryptography%29" rel="nofollow">padding scheme</a>. While CryptoJS and ColdFusion use the same defaults for padding scheme, the "modes" are different:</p> <ul> <li><a href="http://helpx.adobe.com/coldfusion/kb/strong-encryption-coldfusion-mx-7.html" rel="nofollow">ColdFusion uses "ECB"</a>. "AES" is actually short for <code>"AES/ECB/PKCS5Padding"</code></li> <li>CryptoJS uses "CBC", which requires an additional <code>iv</code> (<a href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Initialization_vector_.28IV.29" rel="nofollow">initialization vector</a>) value.<br><br></li> </ul></li> </ol> <p>You need to ensure all three settings are the same on both sides. Try using CBC mode in CF, since it is more secure than ECB anyway. <em>Note: It requires adding an IV value.</em></p> <p><strong>CF Code:</strong></p> <pre><code>&lt;!--- this is the base64 encrypted value from CryptoJS ---&gt; &lt;cfset encrypted = "J2f66oiDpZkFlQu26BDKL6ZwgNwN7T3ixst4JtMyNIY="&gt; &lt;cfset rawString = "max.brenner@google.com.au"&gt; &lt;cfset base64Key = "MTIzNDU2NzgxMjM0NTY3OA=="&gt; &lt;cfset base64IV = "EBESExQVFhcYGRobHB0eHw=="&gt; &lt;cfset ivBytes = binaryDecode(base64IV, "base64")&gt; &lt;cfoutput&gt; #decrypt(encrypted, base64Key, "AES/CBC/PKCS5Padding", "base64", ivBytes)# &lt;/cfoutput&gt; </code></pre> <p><strong>CryptoJS: (Adjusted Original Example)</strong></p> <pre><code>&lt;script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/aes.js"&gt;&lt;/script&gt; &lt;script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/components/enc-base64-min.js"&gt;&lt;/script&gt; &lt;script&gt; var text = "#rawString#"; var key = CryptoJS.enc.Base64.parse("#base64Key#"); var iv = CryptoJS.enc.Base64.parse("#base64IV#"); var encrypted = CryptoJS.AES.encrypt(text, key, {iv: iv}); console.log(encrypted.toString()); var decrypted = CryptoJS.AES.decrypt(encrypted, key, {iv: iv}); console.log(decrypted.toString(CryptoJS.enc.Utf8)); &lt;/script&gt; </code></pre> <p><br></p> <p><strong>Edit:</strong></p> <p>All that said, what do you mean by the client <em>"has no choice but to use CryptoJS to perform the encryption"</em>? Why cannot they use server side encryption? I am not an encryption expert, but doing encryption in javascript, and <strong><em>exposing the key on the client</em></strong>, does not sound wildly secure to begin with ... </p>
    singulars
    1. This table or related slice is empty.
    1. POAES Encrypt in CryptoJS and decrypt in Coldfusion
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USLeigh
    1. USLeigh
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POAES Encrypt in CryptoJS and decrypt in Coldfusion
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    1. CO+1 @Leigh - I had been looking at it this morning (but then had to leave) and basically came to the same conclusion as you. Without all the same pieces ColdFusion will not be able to decrypt the value. I even wrote up a test script similar to what you have here but never did get it to decrypt correctly...
      singulars
      1. PO
      1. USMiguel-F
    2. COYeah, it usually something small like a difference like encoding, mode or padding. But with encryption that is all it takes to get a completely different result ;-) @Phil - For clarity's sake, you may want to set the CryptoJS mode and padding explicitly ie `{iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7}`. Just so it is clear.
      singulars
      1. PO
      1. USLeigh
    3. CO@Miguel-F - For grins I tried using the less secure `ECB` mode too. But had no luck with it. The docs say it is supported, but I am not so sure .. because they also say *"If you pass the actual key, you must also pass the actual IV."*. Given that ECB does not use an `iv` that does not make sense .. No great loss though, since CBC is better anyway.
      singulars
      1. PO
      1. USLeigh
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload