I have encrypted some value using aes-256-cbc mode on PHP like this:

public function encrypt(string $data): string
{
    $iv = $this->getIv();
    $encryptedRaw = openssl_encrypt(
        $data,
        $this->cryptMethod, //aes-256-cbc
        $this->key,
        OPENSSL_RAW_DATA,
        $iv
    );
    $hash = hash_hmac('sha256', $encryptedRaw, $this->key, true);

    return base64_encode( $iv . $hash . $encryptedRaw );
}

Then I tried to decrypt it on PHP and it works fine:

    public function decrypt(string $data): string
{
    $decoded = base64_decode($data);
    $ivLength = openssl_cipher_iv_length($this->cryptMethod);
    $iv = substr($decoded, 0, $ivLength);
    $hmac = substr($decoded, $ivLength, $shaLength = 32);
    $decryptedRaw = substr($decoded, $ivLength   $shaLength);
    $originalData = openssl_decrypt(
        $decryptedRaw,
        $this->cryptMethod,
        $this->key,
        OPENSSL_RAW_DATA,
        $iv
    );

So I'm new to JavaScript and I don't know how to realize the same decrypt method as on php.

Example of encrypted string and it's key:

encrypted string lUIMFpajICh/e44Mwkr0q9xdyJh5Q8zEJHi8etax5BRl78Vsyh wDknmBga1L8p8SDZA6WKz1CvAAREFGreRAQ== secret key - 9SJ6O6IwmItSRICbXgdJ

Example what I found returns empty string:

    const decodedString = base64.decode(
  `lUIMFpajICh/e44Mwkr0q9xdyJh5Q8zEJHi8etax5BRl78Vsyh wDknmBga1L8p8SDZA6WKz1CvAAREFGreRAQ==`
);

const CryptoJS = require("crypto-js");

var key = CryptoJS.enc.Latin1.parse("9SJ6O6IwmItSRICbXgdJ");
var iv = CryptoJS.enc.Latin1.parse(decodedString.slice(0, 16));
var ctx = CryptoJS.enc.Base64.parse(
  "lUIMFpajICh/e44Mwkr0q9xdyJh5Q8zEJHi8etax5BRl78Vsyh wDknmBga1L8p8SDZA6WKz1CvAAREFGreRAQ=="
);
var enc = CryptoJS.lib.CipherParams.create({ ciphertext: ctx });
console.log(
  CryptoJS.AES.decrypt(enc, key, { iv: iv }).toString(CryptoJS.enc.Utf8)
);

}

What I did wrong?

CodePudding user response：

The key used in the PHP code is only 20 bytes in size and thus too small for AES-256 (AES-256 requires a 32 bytes key). PHP/OpenSSL implicitly pads the key with 0x00 values to the required key length. In the CryptoJS code, this must be done explicitly.

Furthermore, in the CryptoJS code, IV (the first 16 bytes), HMAC (the following 32 bytes) and ciphertext (the rest) are not separated correctly.

Also, the authentication is missing. To do this, the HMAC for the ciphertext must be determined using the key and compared with the HMAC sent. Decryption only takes place if authentication is successful.

If all of this is taken into account, the posted code can be fixed e.g. as follows:

var key = CryptoJS.enc.Utf8.parse("9SJ6O6IwmItSRICbXgdJ".padEnd(32, "\0")); // pad key
var ivMacCiphertext = CryptoJS.enc.Base64.parse("lUIMFpajICh/e44Mwkr0q9xdyJh5Q8zEJHi8etax5BRl78Vsyh wDknmBga1L8p8SDZA6WKz1CvAAREFGreRAQ==")

var iv = CryptoJS.lib.WordArray.create(ivMacCiphertext.words.slice(0, 4)); // get IV
var hmac = CryptoJS.lib.WordArray.create(ivMacCiphertext.words.slice(4, 4   8)); // get HMAC
var ct = CryptoJS.lib.WordArray.create(ivMacCiphertext.words.slice(4   8)); // get Ciphertext

var hmacCalc = CryptoJS.HmacSHA256(ct, key);
if (hmac.toString() === hmacCalc.toString()) { // authenticate
    var dt = CryptoJS.AES.decrypt({ciphertext: ct}, key, { iv: iv }).toString(CryptoJS.enc.Utf8); // decrypt
    console.log(dt);
} else {
    console.log("Decryption failed");
}

<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js"></script>

CodePudding user response：

A few thoughts for you:

• Check that your encoding/decoding is working properly. For each stage of the process, endode/decode, then console log the output and compare input to output, and also between PHP and javascript.
• CBC mode uses padding to fill out the blocks. Check that both stacks are using the same padding type.
• Rather than using CBC and a separate HMAC, how about jumping to AEAD (like AES GCM) which avoids the padding issue, and also incorporates the MAC into the encryption, so is a more simple interface?