AES javascript encryption and Java decryption

Question

I've already implemented RSA encryption in javascrypt and RSA decryption in java which is just a simple process. But the problem I've to encrypt a large amount of data which is not possible for RSA at a single go, either I should have to split the data to be encrypted (which will complicate the process) or use AES with RSA encryption and decryption. So I opted to go for AES with RSA encryption and decryption.

Here is my javascript code which use Crypto-js

<script src="rollups/aes.js"></script>
<script src="components/enc-base64-min.js"></script>
<script type="text/javascript" src="rollups/jquery-min.js"></script>
<script type="text/javascript">
    var secretPass = CryptoJS.lib.WordArray.random(16);
    var message = "<username>user</username><password>password</password>";
    var encrypted = CryptoJS.AES.encrypt(message, CryptoJS.enc.Hex.stringify(secretPass));
    var encode = encrypted.ciphertext.toString(CryptoJS.enc.Base64);
    var secretPasses = CryptoJS.enc.Hex.stringify(secretPass);
    console.log('encrypted: ',encrypted);
    console.log('secretPasses: ',secretPasses);
    console.log('encode: ',encode);
    $.ajax({
            url: 'encryption',
            type: 'POST',
            data: {
                encode: encode,
                secretPasses: secretPasses
            },
            success: function(data) {
                console.log('success');
            },
            failure: function(data) {
                console.log('failure');
            }
        });
    </script>

Output in Jsp

encrypted: U2FsdGVkX192e9xprFPyuWu3Rxv2+CDMXiu2/TtNDwExvo4Dstx1mbqCHgds27Ng7zhYayVLjifeG15cuHI7hHfmEWvVeo7DDmOUsZmQAEM=
secretPasses: 23f96d28ae9f9c1c8c37050f79acdb37
encode: a7dHG/b4IMxeK7b9O00PATG+jgOy3HWZuoIeB2zbs2DvOFhrJUuOJ94bXly4cjuEd+YRa9V6jsMOY5SxmZAAQw==

In my post method of servlet, I used sysout to check the received data is same or not. The secret pass I'm getting is the same, encoded data is also the same. The problem is, encode data changed its form in the jsp itself while doing the conversion from encrypted to encode. I tried to pass "encrypted" directly via ajax, but it's pointing error, if I put "alert(typepof encrypted);", it alerts as "Object". How can I pass the original encrypted data to servlet?

System.out.println("secretpasses: "+request.getParameter("secretPasses"));
System.out.println("encode: "+request.getParameter("encode"));

Output in Java :

secretpasses: 23f96d28ae9f9c1c8c37050f79acdb37
encode: a7dHG/b4IMxeK7b9O00PATG+jgOy3HWZuoIeB2zbs2DvOFhrJUuOJ94bXly4cjuEd+YRa9V6jsMOY5SxmZAAQw==

Also it would be welcome if I can get some examples for AES encryption in Javascript and decryption in Java. I notified that it's AES with RSA encryption and decryption, but it's not inserted into current code. If I can get the AES part working, I can do RSA appropriately by encrypting the AEs key.

Answer 1

You can't directly pass encrypted to the backend, because it is an object which contains the ciphertext and some additional important data in the native CryptoJS format. There is no easy way to represent this object in Java without some work.

You can however produce a string from this object by calling the toString() function on it. This will give you an OpenSSL formatted string which can be sent via ajax. While you could certainly parse this string in Java to get the necessary information to decrypt it, it might be easier directly passing the ciphertext and salt parameters to the backend.

See here how they can be used for decryption. Note that the salt and password derives not only the key, but also the IV.

The other possibility is to use a better password derivation by leveraging the PBKDF2 in CryptoJS and Java. See here for some examples of that.