Dart "encrypt" library gives unreadable string after encryption
In the Dart code the ciphertext must be Base64 decoded and not UTF8 encoded:
final decrypted = encrypter.decrypt(Encrypted.from64(cipher), iv: IV.fromUtf8(iv)); // fromBase64() works also
This is not necessary in the JavaScript code, where CryptoJS.AES.decrypt() implicitly converts the Base64 encoded ciphertext into a CipherParams object.
If this is fixed, the decryption works!
Note the following vulnerability: In both codes, the first 16 bytes of the 32 bytes key are also used as IV. If the same key is applied several times, this automatically results in the repetition of key/IV pairs. Especially for CRT this is insecure, see Why must IV/key-pairs not be reused in CTR mode?
Usually a random IV is generated for each encryption. The IV is not secret and is sent along with the ciphertext (typically concatenated). On the decrypting side, the IV is stripped and used for decryption.
hrtlkr29
Updated on December 07, 2022Comments
-
hrtlkr29 over 1 year
I'm moving from React Native to Flutter/Dart. I have the following code snippet from React Native's typescript:
import CryptoJS from 'crypto-js'; export const decryptSessionKey = (randomKey: string, cipher: string) => { const iv = randomKey ? randomKey.slice(0, 16) : ''; const decrypted = CryptoJS.AES.decrypt( cipher, CryptoJS.enc.Utf8.parse(randomKey), { iv: CryptoJS.enc.Utf8.parse(iv), mode: CryptoJS.mode.CTR, padding: CryptoJS.pad.NoPadding, }, ); return decrypted.toString(CryptoJS.enc.Utf8); };And I moved those code to flutter/dart as:
import 'dart:math'; import 'package:encrypt/encrypt.dart'; String decryptSessionKey(String randomKey, String cipher) { final encrypter = Encrypter(AES(Key.fromUtf8(randomKey), mode: AESMode.ctr, padding: null)); var iv = randomKey.substring(0, 16); final decrypted = encrypter.decrypt(Encrypted.fromUtf8(cipher), iv: IV.fromUtf8(iv)); return decrypted.toString(); }Given the randomKey as
0QaOUmxpugtnRUTZ6yOSxQeZq47Akiqf, and the cipher aspiMgUF2ISUl/g7ns2/gZyaWQm6Rdv7x500GD7lMLYxhy14Tg+Bizibvz. I would get the decrypted in Typescript as54387c3b38150d2a7a1c545167736e701629382648.However, in Flutter, I got an unreadable string such as
��ʋ�ͻh�0�M��R�Z���YInCXTI*��!�\��-S�f��/�SU��'Is there something I'm missing? Thank you in advance!
-
GOKU over 2 yearsPlease show the encryption code..
-
-
hrtlkr29 over 2 yearsThank you very much for the reply. However, the output decrypted string still remain unreadable if I change the cipher to base64.
final decrypted = encrypter.decrypt(Encrypted.from64(cipher), iv: enc.IV.fromUtf8(iv));orfinal decrypted = encrypter.decrypt(Encrypted.fromBase64(cipher), iv: enc.IV.fromUtf8(iv));Is not working either. Also, I use generated random key in every call so I don't think there will be a repetition of key. Thank you for the advice! -
hrtlkr29 over 2 yearsI just run the code successfully from flutlab so I check again. Turn out it was because of another bug (in the code that I call the function). So I fixed it and now it's working!. Thank you for your help.