AES decryption with password using CryptoJS returns a blank value

javascript encryption cryptography cryptojs
Stubborn picture Stubborn · Sep 8, 2015 · Viewed 9.2k times · Source

Scenario

I've got the following code:

What my code should do

Encrypt a string with AES using CryptoJS; decrypt encrypted text saved in local storage and show the result in a div

What is not working

While the string seems to get encrypted, the variable decrypt is empty. No errors are triggered in the chrome console.

My question

How can I successfully encrypt and decrypt my text?

Answer

Artjom B. picture Artjom B. · Sep 8, 2015

CryptoJS has two slightly different types of encryption/decryption.

When you use 

var encrypted = CryptoJS.AES.encrypt(text, password);

then you're using password-based encryption which is not the same as pure key/IV-based encryption. This means that the password and a randomly generated salt are run through one MD5 invocation to produce the key and IV for the actual encryption. This is an OpenSSL compatible way to encrypt something. The encrypted object stores the random salt which was used to generate the key and IV.

When you force encrypted to be converted to string (like adding it to localStorage), then it is converted into an OpenSSL compatible string encoding which includes the salt. In order to decrypt it again, you don't need to mess around with the key, IV or salt yourself, because CryptoJS automatically does that for you:

var decrypted = CryptoJS.AES.decrypt(encrypted, password);

Keep in mind that decrypted is a WordArray object and when you force it to be converted to string it will encode the contents into Hex by default. If you don't want that then you need to specify the encoding such as UTF-8 yourself.

A blank value is usually returned when the decryption failed for some reason such as wrong key, wrong ciphertext or wrong encoding. CryptoJS won't throw custom error messages, but will try to continue, because you should know what you're doing.

Full code:

var password = "testpassword";

document.getElementById("enc_button").onclick = function(){
  var text = document.getElementById("new_note").value;
  
  var encrypted = CryptoJS.AES.encrypt(text, password);
  encrypted = encrypted.toString();
  
  var decrypted = CryptoJS.AES.decrypt(encrypted, password);
  decrypted = decrypted.toString(CryptoJS.enc.Utf8)
  
  document.getElementById("decrypted").innerHTML = decrypted;
}
<script src="https://cdn.rawgit.com/CryptoStore/crypto-js/3.1.2/build/rollups/aes.js"></script>
<div id="decrypted">Please wait...</div>
Insert new note:<input type="text" id="new_note"><input type="button" id="enc_button" value="Encrypt & Decrypt">

Related questions

How to encrypt data that needs to be decrypted in node.js?

We are using bcrypt for hashing passwords and data that never needs to be decrypted. What should we do to protect other user information that does need to be decrypted? For example, let's say that we didn't want a user's …

Read More
JavaScript string encryption and decryption?

I'm interested in building a small app for personal use that will encrypt and decrypt information on the client side using JavaScript. The encrypted information will be stored in a database on a server, but never the decrypted version. It …

Read More
How can I hide or encrypt JavaScript code?

Is there any way to hide or encrypt JavaScript code to prevent people from viewing, copying, and/or modifying proprietary programs?

Read More