JavaScript string encryption and decryption

Question

I m interested in building a small app for personal use that will encrypt and decrypt information on the client side using JavaScript   The encrypted information will be stored in a database on a server  but never the decrypted version   It doesn t have to be super duper secure  but I would like to use a currently unbroken algorithm   Ideally I d be able to do something like  var gibberish   encrypt string  salt  key     to generate the encoded string  and something like  var sensical   decrypt gibberish  key     to decode it later   So far I ve seen this  http   bitwiseshiftleft github io sjcl   Any other libraries I should look at

User · Answer

Modern browsers now support the crypto subtle API  which provides native encryption and decryption functions  async no less   using one of these method  AES-CBC  AES-CTR  AES-GCM  or RSA-OAEP   https   www w3 org TR WebCryptoAPI  dfn-Crypto

User · Answer

How about CryptoJS    It s a solid crypto library  with a lot of functionality  It implements hashers  HMAC  PBKDF2 and ciphers  In this case ciphers is what you need  Check out the quick-start quide on the project s homepage     You could do something like with the AES      lt script src  http   crypto-js googlecode com svn tags 3 1 2 build rollups aes js  gt  lt  script gt    lt script gt      var encryptedAES   CryptoJS AES encrypt  Message    My Secret Passphrase        var decryptedBytes   CryptoJS AES decrypt encryptedAES   My Secret Passphrase        var plaintext   decryptedBytes toString CryptoJS enc Utf8    lt  script gt    As for security  at the moment of my writing AES algorithm is thought to be unbroken    Edit     Seems online URL is down  amp  you can use the downloaded files for encryption from below given link  amp  place the respective files in your root folder of the application   https   code google com archive p crypto-js downloads  or used other CDN like https   cdnjs cloudflare com ajax libs crypto-js 3 1 2 components aes-min js

User · Answer

The existing answers which leverage SJCL  CryptoJS  and or WebCrypto aren t necessarily wrong but they re not as safe as you might initially suspect  Generally you want to use libsodium  First I ll explain why  then how   Why Not SJCL  CryptoJS  WebCrypto  etc    Short answer  In order for your encryption to actually be secure  these libraries expect you to make too many choices e g  the block cipher mode  CBC  CTR  GCM  if you can t tell which of the three I just listed is secure to use and under what constraints  you shouldn t be burdened with this sort of choice at all    Unless your job title is cryptography engineer  the odds are stacked against you implementing it securely   Why to Avoid CryptoJS   CryptoJS offers a handful of building blocks and expects you to know how to use them securely  It even defaults to CBC mode  archived    Why is CBC mode bad   Read this write-up on AES-CBC vulnerabilities   Why to Avoid WebCrypto   WebCrypto is a potluck standard  designed by committee  for purposes that are orthogonal to cryptography engineering  Specifically  WebCrypto was meant to replace Flash  not provide security   Why to Avoid SJCL   SJCL s public API and documentation begs users to encrypt data with a human-remembered password  This is rarely  if ever  what you want to do in the real world   Additionally  Its default PBKDF2 round count is roughly 86 times as small as you want it to be  AES-128-CCM is probably fine   Out of the three options above  SJCL is the least likely to end in tears  But there are better options available   Why is Libsodium Better   You don t need to choose between a menu of cipher modes  hash functions  and other needless options  You ll never risk screwing up your parameters and removing all security from your protocol   Instead  libsodium just gives you simple options tuned for maximum security and minimalistic APIs    crypto box     crypto box open   offer authenticated public-key encryption    The algorithm in question combines X25519  ECDH over Curve25519  and XSalsa20-Poly1305  but you don t need to know  or even care  about that to use it securely  crypto secretbox     crypto secretbox open   offer shared-key authenticated encryption    The algorithm in question is XSalsa20-Poly1305  but you don t need to know care    Additionally  libsodium has bindings in dozens of popular programming languages  so it s very likely that libsodium will just work when trying to interoperate with another programming stack  Also  libsodium tends to be very fast without sacrificing security   How to Use Libsodium in JavaScript   First  you need to decide one thing    Do you just want to encrypt decrypt data  and maybe still somehow use the plaintext in database queries securely  and not worry about the details  Or    Do you need to implement a specific protocol    If you selected the first option  get CipherSweet js    The documentation is available online  EncryptedField is sufficient for most use cases  but the EncryptedRow and EncryptedMultiRows APIs may be easier if you have a lot of distinct fields you want to encrypt   With CipherSweet  you don t need to even know what a nonce IV is to use it securely   Additionally  this handles int float encryption without leaking facts about the contents through ciphertext size   Otherwise  you ll want sodium-plus  which is a user-friendly frontend to various libsodium wrappers  Sodium-Plus allows you to write performant  asynchronous  cross-platform code that s easy to audit and reason about   To install sodium-plus  simply run     npm install sodium-plus   There is currently no public CDN for browser support  This will change soon  However  you can grab sodium-plus min js from the latest Github release if you need it    x000D   x000D  const   SodiumPlus     require  sodium-plus    x000D  let sodium  x000D   x000D   async function      x000D      if   sodium  sodium   await SodiumPlus auto    x000D      let plaintext    Your message goes here   x000D      let key   await sodium crypto secretbox keygen    x000D      let nonce   await sodium randombytes buf 24   x000D      let ciphertext   await sodium crypto secretbox  x000D          plaintext  x000D          nonce  x000D          key     x000D         x000D      console log ciphertext toString  hex     x000D   x000D      let decrypted   await sodium crypto secretbox open  x000D          ciphertext  x000D          nonce  x000D          key x000D         x000D   x000D      console log decrypted toString     x000D        x000D   x000D   x000D    The documentation for sodium-plus is available on Github   If you d like a step-by-step tutorial  this dev to article has what you re looking for

User · Answer

Use SimpleCrypto  Using encrypt   and decrypt       To use SimpleCrypto  first create a SimpleCrypto instance with a   secret key  password   Secret key parameter MUST be defined when   creating a SimpleCrypto instance       To encrypt and decrypt data  simply use encrypt   and decrypt     function from an instance  This will use AES-CBC encryption algorithm    var  secretKey    some-unique-key    var simpleCrypto   new SimpleCrypto  secretKey    var plainText    Hello World    var chiperText   simpleCrypto encrypt plainText   console log  Encryption process       console log  Plain Text          plainText   console log  Cipher Text         cipherText   var decipherText   simpleCrypto decrypt cipherText   console log      and then decryption       console log  Decipher Text       decipherText   console log      done

User · Answer

Before implementying any of this  please see Scott Arciszewski s answer  I want you to be very careful with what I m about to share as I have little to no security knowledge  There s a high chance that I m misusing the API below   so I d be more than welcome to update this answer with the help of the community  As  richardtallent mentioned in his answer  there s support for the Web Crypto API  so this example uses the standard  As of this writing  there s a 95 88  of global browser support  I m going to be sharing an example using the Web Crypto API Before we proceed  please note  Quoting from MDN    This API provides a number of low-level cryptographic primitives  It s very easy to misuse them  and the pitfalls involved can be very subtle  Even assuming you use the basic cryptographic functions correctly  secure key management and overall security system design are extremely hard to get right and are generally the domain of specialist security experts  Errors in security system design and implementation can make the security of the system completely ineffective  If you re not sure you know what you are doing  you probably shouldn t be using this API   I respect security a lot  and I even bolded additional parts from MDN    You ve been warned   Now  to the actual example     JSFiddle  Found here  https   jsfiddle net superjose rm4e0gqa 5  Note  Note the use of await keywords  Use it inside an async function or use  then   and  catch    Generate the key     https   developer mozilla org en-US docs Web API CryptoKey    https   developer mozilla org en-US docs Web API RsaHashedKeyGenParams    https   github com diafygi webcrypto-examples rsa-oaep---generatekey     const stringToEncrypt    https   localhost 3001          https   github com diafygi webcrypto-examples rsa-oaep---generatekey        The resultant publicKey will be used to encrypt        and the privateKey will be used to decrypt          Note  This will generate new keys each time  you must store both of them in order for         you to keep encrypting and decrypting                I warn you that storing them in the localStorage may be a bad idea  and it gets out of the scope        of this post       const key   await crypto subtle generateKey         name   RSA-OAEP         modulusLength  4096        publicExponent   new Uint8Array  0x01  0x00  0x01          hash   name   SHA-512                  true         This depends a lot on the algorithm used        Go to https   developer mozilla org en-US docs Web API SubtleCrypto        and scroll down to see the table  Since we re using RSA-OAEP we have encrypt and decrypt available       encrypt    decrypt             key will yield a key publicKey and key privateKey property   Encrypt      const encryptedUri   await crypto subtle encrypt         name   RSA-OAEP         key publicKey  stringToArrayBuffer stringToEncrypt            console log  The encrypted string is   encryptedUri      Decrypt    const msg   await  crypto subtle decrypt         name   RSA-OAEP          key privateKey  encryptedUri       console log  Derypted Uri is   arrayBufferToString msg      Converting ArrayBuffer back and forth from String  Done in TypeScript     private arrayBufferToString buff  ArrayBuffer        return String fromCharCode apply null  new Uint16Array buff  as unknown as number            private stringToArrayBuffer str  string        const buff   new ArrayBuffer str length 2     Because there are 2 bytes for each char      const buffView   new Uint16Array buff       for let i   0  strLen   str length  i  lt  strLen  i            buffView i    str charCodeAt i             return buff       You can find more examples here  I m not the owner      https   github com diafygi webcrypto-examples

User · Answer

you can use those function it s so easy the First one for encryption so you just call the function and send the text you wanna encrypt it and take the result from encryptWithAES function and send it to decrypt Function like this  const CryptoJS   require  quot crypto-js quot           The Function Below To Encrypt Text    const encryptWithAES    text    gt          const passphrase    quot My Secret Passphrase quot         return CryptoJS AES encrypt text  passphrase  toString                 The Function Below To Decrypt Text     const decryptWithAES    ciphertext    gt          const passphrase    quot My Secret Passphrase quot         const bytes   CryptoJS AES decrypt ciphertext  passphrase         const originalText   bytes toString CryptoJS enc Utf8         return originalText            let encryptText   encryptWithAES  quot YAZAN quot         EncryptedText   gt     U2FsdGVkX19GgWeS66m0xxRUVxfpI60uVkWRedyU15I      let decryptText   decryptWithAES encryptText       decryptText   gt     YAZAN

User · Answer

I created an insecure but simple text cipher decipher util  No dependencies with any external library   These are the functions  const cipher   salt   gt        const textToChars   text   gt  text split     map c   gt  c charCodeAt 0        const byteHex   n   gt    0    Number n  toString 16   substr -2       const applySaltToChar   code   gt  textToChars salt  reduce  a b    gt  a   b  code        return text   gt  text split              map textToChars           map applySaltToChar           map byteHex           join         const decipher   salt   gt        const textToChars   text   gt  text split     map c   gt  c charCodeAt 0        const applySaltToChar   code   gt  textToChars salt  reduce  a b    gt  a   b  code       return encoded   gt  encoded match    1 2  g           map hex   gt  parseInt hex  16            map applySaltToChar           map charCode   gt  String fromCharCode charCode            join          And you can use them as follows      To create a cipher const myCipher   cipher  mySecretSalt      Then cipher any text  myCipher  the secret string        -- gt   7c606d287b6d6b7a6d7c287b7c7a61666f     To decipher  you need to create a decipher and use it  const myDecipher   decipher  mySecretSalt   myDecipher  7c606d287b6d6b7a6d7c287b7c7a61666f         -- gt   the secret string

User · Answer

Simple functions    function  Encrypt value        var result         for i 0 i lt value length i              if i lt value length-1                result  value charCodeAt i  10          result   -             else               result  value charCodeAt i  10                  return  result    function  Decrypt value      var result       var array   value split  -         for i 0 i lt array length i                  result  String fromCharCode array i -10             return  result

User · Answer

CryptoJS is no longer supported  If you want to continue using it  you may switch to this url     lt script src  https   cdnjs cloudflare com ajax libs crypto-js 3 1 2 rollups aes js  gt  lt  script gt

User · Answer

x000D   x000D   var encrypted   CryptoJS AES encrypt  Message    Secret Passphrase    x000D    U2FsdGVkX18ZUVvShFSES21qHsQEqZXMxQ9zgHy bu0  x000D   x000D  var decrypted   CryptoJS AES decrypt encrypted   Secret Passphrase    x000D    4d657373616765 x000D   x000D   x000D  document getElementById  demo1   innerHTML   encrypted  x000D  document getElementById  demo2   innerHTML   decrypted  x000D  document getElementById  demo3   innerHTML   decrypted toString CryptoJS enc Utf8   x000D  Full working sample actually is  x000D   x000D       lt script src  https   cdnjs cloudflare com ajax libs crypto-js 3 1 2 rollups aes js  integrity  sha256- H4YS 7aYb9kJ5OKhFYPUjSJdrtV6AeyJOtTkw6X72o   crossorigin  anonymous  gt  lt  script gt  x000D   x000D   lt br gt  lt br gt  x000D   lt label gt encrypted lt  label gt  x000D   lt div id  demo1  gt  lt  div gt  x000D   lt br gt  x000D   x000D   lt label gt decrypted lt  label gt  x000D   lt div id  demo2  gt  lt  div gt  x000D   x000D   lt br gt  x000D   lt label gt Actual Message lt  label gt  x000D   lt div id  demo3  gt  lt  div gt  x000D   x000D   x000D

User · Answer

crypt subtle AES-GCM  self-contained  tested  async function aesGcmEncrypt plaintext  password   async function aesGcmDecrypt ciphertext  password    https   gist github com chrisveness 43bcda93af9f646d083fad678071b90a

[encryption] JavaScript string encryption and decryption?

Examples related to encryption

Examples related to javascript