search

brix / crypto-js

JavaScript library of crypto standards.
Other
15.88k stars 2.39k forks source link

AES encryption doesn't check key size #293

Open APshenkin opened 4 years ago

APshenkin commented 4 years ago

There is it possibility to create 512bits key and pass it to AES.encrypt/decrypt functions.

e.g.

let key = CryptoJS.PBKDF2(pass, salt, {
    keySize: 512 / 32,
    iterations: iterations
  });

let encrypted = CryptoJS.AES.encrypt(msg, key, {
    iv: iv,
    padding: CryptoJS.pad.Pkcs7,
    mode: CryptoJS.mode.CBC
  });

This will produce non-standart key that will produce 22 AES rounds. But AES standard is defined so:

The key size used for an AES cipher specifies the number of transformation rounds that convert the input, called the plaintext, into the final output, called the ciphertext. The number of rounds are as follows:

10 rounds for 128-bit keys.
12 rounds for 192-bit keys.
14 rounds for 256-bit keys.
APshenkin commented 4 years ago

Also IV vector size is not checked and user can pass more than 16 bytes IV to AES functions. But then crypto-js takes only first 16 bytes

ghost commented 4 years ago

I am having a trouble on this. Because a web site is using this CryptoJS, and the developer used 44 bytes key and 16 bytes for iv. I got the key but I cannot use it with my C# application, because C# only takes 16, 24 or 32 bytes key length. Can anyone explain how CryptoJS can take more than 32 bytes key length?

CodeForcer commented 4 years ago

Can anyone explain how Crypto-JS deals with 512 bit keys? The fact the library lets you do this is a serious bug, as it creates garbage mascarading as an AES encrypted string which is actually only decryptable using Crypto-JS library - as far as I can tell.

When Crypto-JS does this it is not producing a valid AES encrypted output, yet it throws no error and silently performs the encryption.

The library should not be considered safe to use until this is addressed, this is a dangerous and silent error.

arvinsim commented 4 years ago

@CodeForcer Do you have an example of this? I was about to use this library to generate a 512 session key.

Adrian3PG commented 4 years ago

@evanvosberg You seem to be the main contributor to this repo. Any updates on this topic?

Due to cryptoJS not validating key and IV sizes, I encrypted most of my data using AES just to discover I can't decrypt it in other languages like python.

My key is 20 bytes long and my IV is 15 bytes (due to me being new to everything regarding cryptology, I had no idea key and iv should have certain sizes). How does cryptoJS handle this? I used enc.Utf8.parse and got a word array with sigBytes: 20.

I tried to go trough the code to understand how the library handles this case, but it's way too complicated to understand. Do you use Pkcs7 padding on either key or IV? Or is this just a bug and the library generates invalid AES encryption due to validations missing.

Edit: I use the default CBC mode. AES.encrypt(value, key, { iv });

choryuidentify commented 3 years ago

I have 36 bytes key, and The key padded to 48 bytes. In CryptoJS, 'keySize' calculated to 12, and 'nRounds' calculated to 18.

I'm trying to decrypt my text on python, so trying to modify pyaes, because It's pure python library.

I just remove key length check and add 48: 18 to Round map. But no lucks, It fail to decrypt.

Anybody know how to decrypt it on python?

choryuidentify commented 3 years ago

https://gist.github.com/choryuidentify/f2c5bd6669c22d2e95ec638746524dca

I create python port of CryptoJS AES. It only support ECB decrypt. Not CBC, CFB modes and not support encrypt. May it have important bug. I never guarantee it works properly, So don't use your important software.

Thanks.

d3m3vilurr commented 3 years ago

It's an important bug.

a month ago, I also got the same bug, and I thought it's a similar case of PHP's hash function. PHP would generate different md5/sha1 hashsum, and they didn't fix it for the backward compatibility. https://3v4l.org/tT4l8 (I don't understand PHP maintainer's mind.)

this bug is pretty same. many projects could have wrong generated encryption data. and if crypto-js fixes the bug, these data might be broken. but if crypto-js didn't fix the bug, I'm not able to believe the encryption result.

sonhle commented 1 year ago

Anyone has solution with this with Java? I had no idea about the key & iv sizes as well. I was using key with size of 20 and an iv with size of 40 and able to encrypt successfully with CryptoJS. However, I'm failing to decrypt it from Java.

lopo12123 commented 1 year ago

Anyone has solution with this with Java? I had no idea about the key & iv sizes as well. I was using key with size of 20 and an iv with size of 40 and able to encrypt successfully with CryptoJS. However, I'm failing to decrypt it from Java.

I wrote a set of js and java encryption and decryption, they can work very well, I will paste the java part here for your reference, I hope it will be useful to you.

// jdk 11

import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.rmi.UnexpectedException;
import java.security.MessageDigest;
import java.time.LocalDateTime;
import java.util.Base64;

public class AESUtil {
    private static byte[] getMD5(String content) throws Exception {
        MessageDigest md5 = MessageDigest.getInstance("MD5");
        return md5.digest(content.getBytes());
    }

    private static String generateSeed(String type) {
        return "use a string of any length here will work well.";
    }

    private static byte[] generateKey() throws Exception {
        return getMD5(generateSeed("key"));
    }

    private static byte[] generateIv() throws Exception {
        return getMD5(generateSeed("iv"));
    }

    private static Cipher generateInstance(boolean encode) throws Exception {
        SecretKeySpec _key = new SecretKeySpec(generateKey(), "AES");
        IvParameterSpec _iv = new IvParameterSpec(generateIv());
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(encode ? Cipher.ENCRYPT_MODE : Cipher.DECRYPT_MODE, _key, _iv);

        return cipher;
    }

    public static String encodeBase64(String content) throws Exception {
        byte[] _encodedBytes = generateInstance(true).doFinal(content.getBytes(StandardCharsets.UTF_8));
        return Base64.getEncoder().encodeToString(_encodedBytes);
    }

    public static String encodeHex(String content) throws Exception {
        throw new UnexpectedException("unimplemented!");
    }

    public static String decodeBase64(String content) throws Exception {
        byte[] _bytesToDecode = Base64.getDecoder().decode(content);
        return new String(generateInstance(false).doFinal(_bytesToDecode), StandardCharsets.UTF_8);
    }

    public static String decodeHex(String content) throws Exception {
        throw new UnexpectedException("unimplemented!");
    }

    public static void main(String[] args) throws Exception {

//        String key_seed = generateSeed("key");
//        String iv_seed = generateSeed("iv");
//        System.out.println(key_seed);
//        System.out.println(iv_seed);

        String data_to_encode = "Hello World";
        String encode_base64 = AESUtil.encodeBase64(data_to_encode);
        String decode_base64 = AESUtil.decodeBase64(encode_base64);

        System.out.println("[Origin]" + data_to_encode);
        System.out.println("[Encode-Base64]" + encode_base64);
        System.out.println("[Decode-Base64]" + decode_base64);

    }
}
Bylaew commented 1 year ago

I need solution for C++ with this config: CryptoJS.algo.AES.keySize = 32, CryptoJS.algo.EvpKDF.cfg.iterations = 10000, CryptoJS.algo.EvpKDF.cfg.keySize = 32; var r = CryptoJS.AES.decrypt(message, key.toString()); Does anyone has it?

HomelessPhD commented 1 year ago

I need solution for C++ with this config: CryptoJS.algo.AES.keySize = 32, CryptoJS.algo.EvpKDF.cfg.iterations = 10000, CryptoJS.algo.EvpKDF.cfg.keySize = 32; var r = CryptoJS.AES.decrypt(message, key.toString()); Does anyone has it?

24