byron

byron

Need to decrypt an AES encrypted string that was encrypted in flutter https://pub.dev/packages/encrypt

Hi guys,

I battling to decrypt a string that was encrypted using this
encrypt | Dart package. link in flutter.

AES Encryption

privateKEY = “%8R=&PfC5SXT:pRF2vF[5zCTy}M7CX]J”
privateINV = “}Lq5Wu~nkr\Vdfm~”
Encrypted string = “rMCS4wiyvQH7nXx6slP6rA==”
Actual massage should be = “Fantastic”

The flutter code to encrypt is

Using this library to encrypt text only.


import 'package:encrypt/encrypt.dart';
import 'package:flutter_dotenv/flutter_dotenv.dart';

class EncryptAESData {
  static Encrypted encrypted;
  static var decrypted;

  static String encryptAES(data) {
    final key = Key.fromUtf8(dotenv.env['privateKEY']);
    final iv = IV.fromUtf8(dotenv.env['privateINV']);
    final encrypter = Encrypter(AES(key));
    encrypted = encrypter.encrypt(data, iv: iv);
    return encrypted.base64;
  }

  static decryptAES(data) {
    final key = Key.fromUtf8(dotenv.env['privateKEY']);
    final iv = IV.fromUtf8(dotenv.env['privateINV']);
    final encrypter = Encrypter(AES(key));
    String decrypted = "";
    if (data != "") {
      try {
        decrypted = encrypter.decrypt(Encrypted.fromBase64(data), iv: iv);
      } catch (exception) {
        decrypted = data;
      }
    }
    return decrypted;
  }
}

I’m getting nothing back and i suspect the :crypto.crypto_one_time function i’m using is getting the wrong binary arguments

Here is an example of how i’m getting the binary from the string, if thats even what i’m supposed to do

b_password = :crypto.hash(:md5, privateKEY)

Most Liked

al2o3cr

al2o3cr

:crypto.hash is definitely digging in the wrong spot.

The post from @ChristopheBelpaire almost has it, but the cipher + mode need to match the defaults that encrypt is using:

  • it appears to pick the block size based on the key, so a 32-byte key → AES-256
  • the default AESMode is SIC, also known as CTR

In addition, the given IV has an explicit \ in it, so it needs to be written as \\ inside ".

Putting it all together:

secret = "%8R=&PfC5SXT:pRF2vF[5zCTy}M7CX]J"

iv = "}Lq5Wu~nkr\\Vdfm~"

payload = Base.decode64!("rMCS4wiyvQH7nXx6slP6rA==")

:crypto.crypto_one_time(:aes_256_ctr, secret, iv, payload, false)

# result: "Fantastic\a\a\a\a\a\a\a"

HOWEVER

Using a fixed IV in CTR mode is BAD. Real bad. The original code you posted gets the IV from dotenv, which leads me to believe the same value is used for every encryption.

Reusing an IV for CTR mode means that an attacker that knows ONE plaintext and the corresponding ciphertext can read ANY shorter ciphertext, because the “key stream” is identical for every encryption operation.

A demonstration:

defmodule CompareStream do
  def to_bytes(s) do
    for <<x::8 <- s>>, do: x
  end

  def xor(s1, s2) do
    [to_bytes(s1), to_bytes(s2)]
    |> Enum.zip()
    |> Enum.map(fn {b1, b2} -> Bitwise.bxor(b1, b2) end)
  end
end

secret = "%8R=&PfC5SXT:pRF2vF[5zCTy}M7CX]J"

iv = "}Lq5Wu~nkr\\Vdfm~"

payload = Base.decode64!("rMCS4wiyvQH7nXx6slP6rA==")

message = :crypto.crypto_one_time(:aes_256_ctr, secret, iv, payload, false)

other_message = "lolwut\a\a\a\a\a\a\a\a\a\a"

other_payload = :crypto.crypto_one_time(:aes_256_ctr, secret, iv, other_message, true)

CompareStream.xor(message, payload) |> IO.inspect(label: "first key stream")

CompareStream.xor(other_message, other_payload) |> IO.inspect(label: "second key stream")

This prints:

first key stream: [234, 161, 252, 151, 105, 193, 201, 104, 152, 154, 123, 125, 181, 84, 253, 171]
second key stream: [234, 161, 252, 151, 105, 193, 201, 104, 152, 154, 123, 125, 181, 84, 253, 171]

Generally, you want to use a mode like CTR with an IV that is sent along with the encrypted result and “never” reused. I put “never” in quotes because most implementations settle for something like a 128-bit cryptographically-random number, which could technically repeat if you collected about 2^64 of them but is close enough to “never” for most purposes.

Where Next?

Popular in Questions Top

9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
chrisalley
ExUnit now has describe blocks which is a welcome addition coming from RSpec. In the docs, it states that nested hierarchies of describe ...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
minhajuddin
I have seen a lot of code which picks the first element from a list using Enum.at(0) instead of List.first. Is there a reason why people ...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
itssasanka
Hi all, Trying to get some more clarity over utc_datetime and naive_datetime for Ecto: The documentation above suggests that while ...
New
JDanielMartinez
Hi! May someone helps me, please! I have two apps into an umbrella project: the first one is Database, which manages queries, and the se...
New
fayddelight
I tried installing elixir 1.11.2 erlang 23.3.4 via asdf in my zsh shell. Enabled the versions locally and globally. When I list them ...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
komlanvi
Hi everyone, I was playing with phoenix liveView but I run into an issue. I have a form and want to validate each input text when the te...
New

Other popular topics Top

AstonJ
Posting this to see if we can make things easier for people to get into Neovim. If you use Neovim and have a favourite distro please let ...
New
minhajuddin
I have seen a lot of code which picks the first element from a list using Enum.at(0) instead of List.first. Is there a reason why people ...
New
chrismccord
This release brings a number of exciting features, including integration with the new Phoenix LiveDashboard and Phoenix LiveView. There h...
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39523 209
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
sergio
Kind of like when jquery came out, it was super necessary. Existing drag and drop libraries have a bunch of baggage to support old browse...
New

We're in Beta

About us Mission Statement