Ciphertext is not converting to plain text and is not being alerted

问题

I am not able to decrypt a ciphertext. I have to test that my decryption is working properly or not. So, I created a simple html file which take cipher text and than convert it into plain text.

I just here hardcoding the value and than converting ciphertext into plain text.

When I tried it it was not working at all. I don't understand what is the issue.

This is my code

<!DOCTYPE html>
<html>
<head>
    <script src="tripledes.js"></script>
    <script src="mode-ecb.js"></script>
    <style type="text/css">
<script type="text/javascript">

        function decryptByDES(aHJHDJSHJhjsak=, highishjdhsjhjs) {
            var keyHex = CryptoJS.enc.Utf8.parse(highishjdhsjhjs);

            var decrypted = CryptoJS.DES.decrypt({
                ciphertext: CryptoJS.enc.Base64.parse(aHJHDJSHJhjsak=)
            }, keyHex, {
                mode: CryptoJS.mode.ECB,
                padding: CryptoJS.pad.Pkcs7
            });

            return decrypted.toString(CryptoJS.enc.Utf8);
            alert ( decrypted);
        }


    </script>
</head>
<body>

    <div class="maindiv">
        <div>
            <label for="name">Message:</label>
            <input type="text" id="msg" name="msg" />
        </div>
        <div>
            <label for="mail">Key:</label>
            <input type="text" id="key" name="key" />
        </div>

        <div class="button">
            <button onclick="decryptByDES()">View</button>
        </div>
    </div>
</body>
</html>

and my mode-ecb.js file is

/*
CryptoJS v3.1.2
code.google.com/p/crypto-js
(c) 2009-2013 by Jeff Mott. All rights reserved.
code.google.com/p/crypto-js/wiki/License
*/
/**
 * Electronic Codebook block mode.
 */
CryptoJS.mode.ECB = (function () {
    var ECB = CryptoJS.lib.BlockCipherMode.extend();

    ECB.Encryptor = ECB.extend({
        processBlock: function (words, offset) {
            this._cipher.encryptBlock(words, offset);
        }
    });

    ECB.Decryptor = ECB.extend({
        processBlock: function (words, offset) {
            this._cipher.decryptBlock(words, offset);
        }
    });

    return ECB;
}());

I need to show my decrypted text in an alert. But nothing is happening.

回答1:

I'm not familiar with CryptoJS, but... It looks like you need to move the alert before the return decrypted.toString(CryptoJS.enc.Utf8); line, as the alert won't get called once the function returns.

Also, it would be better practice to make your key and cipher text variable strings, then call it from the button passing in those variables (although you may want to store your key in the javascript, and only pass in the cipherTextString).

<script type="text/javascript">
    function decryptByDES(cipherTextString, keyString) {
        var keyHex = CryptoJS.enc.Utf8.parse(keyString);

        var decrypted = CryptoJS.DES.decrypt({
            ciphertext: CryptoJS.enc.Base64.parse(cipherTextString)
        }, keyHex, {
            mode: CryptoJS.mode.ECB,
            padding: CryptoJS.pad.Pkcs7
        });

        var decryptedStringified = decrypted.toString(CryptoJS.enc.Utf8);

        alert(decryptedStringified);

        return decryptedStringified;
    }
</script>

And then call it from your button, passing in the correct variables:

<button onclick="decryptByDES('aHJHDJSHJhjsak=', 'highishjdhsjhjs');">View</button>

回答2:

^{In addition to Jem's answer...}

If you want to hardcode a key, then you can do many things, but all of them should involve some kind of code obfuscation, because a client might just open the developer tools and read the key.

Ways to hardcode the key, here are two simple ways that don't leak the key to the global object ...

1. In the local scope of the function that does the encryption/decryption

   function decryptByDES(cipherTextString) {
       var keyHex = CryptoJS.enc.Utf8.parse("mykeystring12345");
       var decrypted = CryptoJS.DES.decrypt({
       //...
   }
   

2. In an wrapper scope (here used in an IIFE), but not in global scope

   (function(){
       var keyHex = CryptoJS.enc.Utf8.parse("mykeystring12345");
       function decryptByDES(cipherTextString) {
           var decrypted = CryptoJS.DES.decrypt({
           //...
       }
   })();
   

A few things to note:

• If you hardcode the key, then this doesn't provide any real security if the file the key is in is transmitted insecurely. You definitely need HTTPS, but if you have HTTPS you likely don't need the encryption provided by CryptoJS. (Ref)

• DES supports only one key size of exactly 8 bytes. If you cannot supply keys (which should look like random noise), then you're probably supplying a password, which does not need to have this specific length requirements. Since passwords cannot be used as keys, you will need to derive a key from that password. CryptoJS supports PBKDF2 for that. If you're supplying a key that does not have the required size, then you will get strange results, but don't expect an error from CryptoJS.

• Don't use DES nowadays. It only provides 56 bit of security. AES would be a much better, because it's more secure with the lowest key size of 128 bit. There is also a practical limit on the maximum ciphertext size with DES. See Security comparison of 3DES and AES.

• Never use ECB mode. It's deterministic and therefore not semantically secure. You should at the very least use a randomized mode like CBC or CTR. It is better to authenticate your ciphertexts so that attacks like a padding oracle attack are not possible. This can be done with authenticated modes like GCM or EAX, or with an encrypt-then-MAC scheme.

来源：https://stackoverflow.com/questions/37789525/ciphertext-is-not-converting-to-plain-text-and-is-not-being-alerted