-1

I have following information on decrypting a string. It is for line API. https://developers.line.me/in_app_web/api-reference#get_token

The encrypted string will be decoded using the Channel Secret as a symmetric-key. The algorithm used is AES, the block size is 128 bit, the encryption mode is ECB, and the padding is PKCS#5. The Channel Secret string will be interpreted as a hexadecimal byte string and used as the symmetric-key. The encrypted string follows Base64 encoding and will be restored once it has been decoded.

It also provides examples in java, ruby and php. I am trying to implement this on node.js but I am totally confused with all terms and how to implement this on node.js.

Ruby Implementation

source = ... # encrypted string
cipher = OpenSSL::Cipher::Cipher.new('AES-128-ECB')
cipher.decrypt
cipher.key = ['YOUR_CHANNEL_SECRET'].pack('H*')
decoded = Base64.decode64(source)
decrypted = cipher.update(decoded) + cipher.final

php implementation

$source = ...; // encrypted string
$secretKey = pack('H*', "YOUR_CHANNEL_SECRET");
$decoded = base64_decode($source);
$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $secretKey, $decoded, MCRYPT_MODE_ECB);

So here we have source and YOUR_CHANNEL_SECRET avaialble. Any help on how to implement this on node.js would be helpful.

thank you

Yalamber
  • 7,360
  • 15
  • 63
  • 89

1 Answers1

1

General information:

  1. In general it is best to use CBC mode, ECB mode is generally not a recommend/secure mode. ECB vs CBC mode.

    enter image description here

  2. AES has one block size of 128-bits, Rijndael must have the block size specified as 128-bits to be AES.

  3. AES can have a key sizes] of 128, 192 or 256 bits.

  4. PKCS#7 and PKCS#5 padding are equivalent and should be used. mcrypt does not support PKCS padding so you will have to do that yourself in code ignorer to use mcrypt.

In general you will be better off using a packed solution such as RNCryptor which supports multiple languages/platforms that handles all the details that are needed to make encryption secure.

zaph
  • 111,848
  • 21
  • 189
  • 228
  • Hello, I need to use ECB mode as that is what the API provider provides. – Yalamber Jan 11 '16 at 02:34
  • Hello, you can push back. Question: how do you feel when your information is exposed/stolen when poor security is used? How about the users of the software your are creating? Overall we need to improve security, not create more poor security, tis is your chance to at least try to make a positive difference. – zaph Jan 11 '16 at 12:32
  • Hello, I have no control over the API I have to use. They come form Line. see here. https://developers.line.me/in_app_web/api-reference#get_token – Yalamber Jan 12 '16 at 02:42
  • I also suggest [avoiding RNCryptor](http://www.openwall.com/lists/oss-security/2016/01/24/10). – Scott Arciszewski Jan 24 '16 at 23:44