使用 crypto-js 解密

Question

I receive data from a third party at an API that contains encrypted data. They provided me with a Passphrase do decrypt the content of the Json file, but I do not get any result; so they provided me with the code they generate the encryption which is written in VB.NET:

Public Shared Function EncryptString(ByVal Message As String, ByVal Passphrase As String) As String
        Dim Results As Byte()
        Dim UTF8 As System.Text.UTF8Encoding = New System.Text.UTF8Encoding()
        Dim HashProvider As MD5CryptoServiceProvider = New MD5CryptoServiceProvider()
        Dim TDESKey As Byte() = HashProvider.ComputeHash(UTF8.GetBytes(Passphrase))
        Dim TDESAlgorithm As TripleDESCryptoServiceProvider = New TripleDESCryptoServiceProvider()
        TDESAlgorithm.Key = TDESKey

        TDESAlgorithm.Mode = CipherMode.ECB
        TDESAlgorithm.Padding = PaddingMode.PKCS7
        Dim DataToEncrypt As Byte() = UTF8.GetBytes(Message)
        Dim Encryptor As ICryptoTransform = TDESAlgorithm.CreateEncryptor()
        Results = Encryptor.TransformFinalBlock(DataToEncrypt, 0, DataToEncrypt.Length)
        Return Convert.ToBase64String(Results)
    End Function

I tried to decrypt with:

let key = CryptoJS.enc.Utf8.parse(Passphrase);
let decryptedData = CryptoJS.AES.decrypt(Message, key, {
  iv: key
});
alert(decryptedData.toString( CryptoJS.enc.Utf8 ));

But I get an empty string and this console error: Error: Malformed UTF-8 data

If I do

const passworddes = CryptoJS.DES.decrypt(message, key, {
      mode: CryptoJS.mode.ECB, padding: CryptoJS.pad.Pkcs7
    }).toString();

I get an empty string only

Am I missing something on the decryption?

Thank you all.

UPDATE:

The supplier provided me with the function they utilize to decrypt. At the above Typescript code Im setting the mode and the padding as they don on their .NET code, but still getting nothing.

Here is the function they utilize:

Public Shared Function DecryptString(ByVal Message As String, ByVal Passphrase As String) As String
        Dim Results As Byte()
        Dim UTF8 As System.Text.UTF8Encoding = New System.Text.UTF8Encoding()
        Dim HashProvider As MD5CryptoServiceProvider = New MD5CryptoServiceProvider()
        Dim TDESKey As Byte() = HashProvider.ComputeHash(UTF8.GetBytes(Passphrase))
        Dim TDESAlgorithm As TripleDESCryptoServiceProvider = New TripleDESCryptoServiceProvider()
        TDESAlgorithm.Key = TDESKey
        TDESAlgorithm.Mode = CipherMode.ECB
        TDESAlgorithm.Padding = PaddingMode.PKCS7
        Dim DataToDecrypt As Byte() = Convert.FromBase64String(Message)
        Dim Decryptor As ICryptoTransform = TDESAlgorithm.CreateDecryptor()
        Results = Decryptor.TransformFinalBlock(DataToDecrypt, 0, DataToDecrypt.Length)
        Return UTF8.GetString(Results)
    End Function

Answer 1

The VB code derives the key from the passhprase with MD5. TripleDES (aka 3DES) with a 16 bytes key (2TDEA) is used as the algorithm. ECB is applied as the mode. A possible decryption with CryptoJS is:

 var key = CryptoJS.MD5('my passphrase'); var message = 'vg0m/29RO6Y9o5SATGFj4H3p612sIIk6/Ny1wtr8HLomM3gI5WYYNKy//pAjq/ZJ' const decrypted = CryptoJS.TripleDES.decrypt( message, key, { mode: CryptoJS.mode.ECB, padding: CryptoJS.pad.Pkcs7 } ).toString(CryptoJS.enc.Utf8); console.log(decrypted)

 <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js"></script>

In the above example the ciphertext was created with the VB code.

Note that the code is very insecure:

• MD5 is broken, better: SHA256.
• The key derivation from a digest is also insecure (even if the digest is secure), better: a reliable key derivation function like Argon2 or PBKDF2.
• ECB is insecure, better: CBC or even better: GCM.
• TripleDES is deprecated and slow, better: AES.