How to decrypt the encrypted value in code behind using cryptoJs in MVC

Question

I am working on mvc application, there i am trying to encrypt my password. I have encrypted the password onclick and its working fine. How to decrypt the same value in mvc controller using CryptoJs.

Here is my code:

<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/tripledes.js"></script>
       var secretString = document.getElementById("txtPassword").value;
        var password = "$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/";
        debugger;
        //document.getElementById("secretstring").innerHTML = secretString;
       // var pass = document.getElementById("txtPassword").value;

        var encrypted = CryptoJS.TripleDES.encrypt(secretString, password);


        // document.getElementById("encryptedstring").innerHTML = encrypted.toString();

        //var decrypted = CryptoJS.TripleDES.decrypt(encrypted.toString(), password);
        //var finaltext = decrypted.toString(CryptoJS.enc.Utf8);
        //document.getElementById("txtPassword").value = encrypted;

I have to pass the encrypted value to C# code and decrypt there itself using cruptoJs.TripleDES.decrypt.

Anybody help me please? Thanks in advance.

You might want to look at the TripleDes class, however are you sure what you are doing is worthwhile? If you want to ensure password cannot be extracted by a packet sniffer or otherwise intercepted then SSL is the way to go rather than encrypting usin javascript. If your server side code expects an encrypted password then an atacker doesn't need the clear text pasword, they can just send the encrypted password. http://msdn.microsoft.com/en-us/library/system.security.cryptography.tripledes(v=vs.110).aspx — Ben Robinson, Oct 29 '14 at 10:35
hi i am trying to authenticate the user using ldap, i got a exception from application security team i am sending plain password. User credentials are sent in clear text over the network for authentication. An intruder can sniff the network and capture user credentials. SSo i decided to encrypt the password before calling the ldap connection method using javascript. Am i doing anything wrong, if so please guide me. — user1557020, Oct 29 '14 at 10:42
I don't think it is any more secure than sending the plain text password because anyone that can sniff the network can view the request that sends the page to the user in the first place and this contains all the info needed to decrypt the password, second even if they only had the password, if you have a service that expects an encrypted password then all an attacker has to do to spoof a login is resend the encrypted password. Short version, use SSL. — Ben Robinson, Oct 29 '14 at 10:47

score 2 · Accepted Answer · edited May 23 '17 at 11:57

There is a 3DES provider in the .NET Library and here is a good example of how to use it: How to implement Triple DES in C# (complete example)

In principle, if you use 3DES on the client you just use another 3DES implementation on the server, you don't need to use the same implementation -- and since cryptoJS is JavaScript, it is mostly restricted to client-side use anyway.

That being said, your string is not sent securely over the network, because your source code clearly identifies the method + password used to encrypt. So anyone who can sniff the data going to your server can decrypt.

To really encrypt the traffic securely, you'd need to use SSL (= HTTPS).

How to decrypt the encrypted value in code behind using cryptoJs in MVC

1 Answers1