Menu
I'm trying to encrypt some text inside a database to be loaded and decrypted during program startup.
I have tried a few methods, including a third party library https://github.com/richard-lyman/lithcrypt to no avail. Using the following method encrypts/decrypts 8/10 items, but it seems that some padding residue is left behind at some point in the encrypt/decrypt. As it stands my code is like this:
package client
import (
"encoding/base64"
"crypto/aes"
"crypto/cipher"
"fmt"
)
var iv = []byte{34, 35, 35, 57, 68, 4, 35, 36, 7, 8, 35, 23, 35, 86, 35, 23}
func encodeBase64(b []byte) string {
return base64.StdEncoding.EncodeToString(b)
}
func decodeBase64(s string) []byte {
data, err := base64.StdEncoding.DecodeString(s)
if err != nil { panic(err) }
return data
}
func Encrypt(key, text string) string {
block, err := aes.NewCipher([]byte(key))
if err != nil { panic(err) }
plaintext := []byte(text)
cfb := cipher.NewCFBEncrypter(block, iv)
ciphertext := make([]byte, len(plaintext))
cfb.XORKeyStream(ciphertext, plaintext)
return encodeBase64(ciphertext)
}
func Decrypt(key, text string) string {
block, err := aes.NewCipher([]byte(key))
if err != nil { panic(err) }
ciphertext := decodeBase64(text)
cfb := cipher.NewCFBEncrypter(block, iv)
plaintext := make([]byte, len(ciphertext))
cfb.XORKeyStream(plaintext, ciphertext)
}
It was mentioned to me that I might need to pad the string, but it seems strange that I would have to pad a stream cipher.
Below is an example of this error: http://play.golang.org/p/4FQBAeHgRs
963
The idea of base64 is that you encode binary data into text. You then decode that text data to a byte array. You can't just decode any arbitrary text as if it were a complete base64 message any more than you can try to decode an mp3 as a jpeg image.
Sometimes Base64 is used to encrypt the plaintext, but it does not have the key. Everyone can decrypt the message by knowing the table pattern. This study describes the process of encryption and decryption using Base64.
AES 256 is virtually impenetrable using brute-force methods. While a 56-bit DES key can be cracked in less than a day, AES would take billions of years to break using current computing technology. Hackers would be foolish to even attempt this type of attack. Nevertheless, no encryption system is entirely secure.
You can encrypt passwords in the client environment and the server environment by using Advanced Encryption Standard (AES). You can create and enable an AES custom key manager when the default key manager does not implement a specific requirement for your needs.
This is based on the NewCFBEncrypter / NewCFBDecrypter examples and seems to do what you require:
EDIT: Based on Kluyg's comment regarding IV creation I've modified the example code to use the recommended method of creating the IV from the ciphertext same method as the linked example to create the IV from the ciphertext. (In production code the IV should be generated seperately each time. Thanks to RoundSparrow hilltx for pointing this out.)
I think the problem you're encountering is due to an invalid key length, but I'm not 100% sure.
package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" "encoding/base64" "errors" "fmt" "io" "log" ) func main() { key := []byte("a very very very very secret key") // 32 bytes plaintext := []byte("some really really really long plaintext") fmt.Printf("%s\n", plaintext) ciphertext, err := encrypt(key, plaintext) if err != nil { log.Fatal(err) } fmt.Printf("%0x\n", ciphertext) result, err := decrypt(key, ciphertext) if err != nil { log.Fatal(err) } fmt.Printf("%s\n", result) } // See alternate IV creation from ciphertext below //var iv = []byte{35, 46, 57, 24, 85, 35, 24, 74, 87, 35, 88, 98, 66, 32, 14, 05} func encrypt(key, text []byte) ([]byte, error) { block, err := aes.NewCipher(key) if err != nil { return nil, err } b := base64.StdEncoding.EncodeToString(text) ciphertext := make([]byte, aes.BlockSize+len(b)) iv := ciphertext[:aes.BlockSize] if _, err := io.ReadFull(rand.Reader, iv); err != nil { return nil, err } cfb := cipher.NewCFBEncrypter(block, iv) cfb.XORKeyStream(ciphertext[aes.BlockSize:], []byte(b)) return ciphertext, nil } func decrypt(key, text []byte) ([]byte, error) { block, err := aes.NewCipher(key) if err != nil { return nil, err } if len(text) < aes.BlockSize { return nil, errors.New("ciphertext too short") } iv := text[:aes.BlockSize] text = text[aes.BlockSize:] cfb := cipher.NewCFBDecrypter(block, iv) cfb.XORKeyStream(text, text) data, err := base64.StdEncoding.DecodeString(string(text)) if err != nil { return nil, err } return data, nil } Produces:
some really really really long plaintext
54618bd6bb10612a7b590c53192df214501e01b685540b012581a0ed9ff3ddaa1f4177cc6186b501fb8cce0c2eb764daff475aab724d4d33e614d7d89cf556d8512fd920018c090f
some really really really long plaintext
Playground
Hope that helps to pin point the problem.
198
Crypto is hard and the go libraries are perhaps not high level enough so it's easy to make mistakes.
For anyone looking for an example of doing it right by an expert in the field (a security developer at CoreOS), this gives a good example of AES encryption (along with other common uses of crypto).
https://github.com/gtank/cryptopasta
23
Here is the working demo i just finished writing, it mostly uses code samples from the go document but it is tailored to do what most apps including my use case expects out of encryption methods.
It use AES encryption. encrypt from string to base64 string. Easy to use on URL and dbs. decrypt from base64 string created above to original text.
Simple text conversions everywhere.
GIST: Here is the gist, please let me know if there are any need for the improvements.
It's a simple go file, ready to be run.
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
