Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

RNCryptor not working with JSON string

Here are my method's to use RNCryptor to encrypt/decrypt a JSON string that I am sending to the web service. I am using a static IV variable which may be bad practice but please don't focus on that. Here is how I'm doing it:

Note: I'm using Matt Gallagher's NSData+Base64 category found here (at bottom of page)

-(NSString*)encryptString:(NSString*)plaintext withKey:(NSString*)key error:(NSError**)error{
    NSData *data = [plaintext dataUsingEncoding:NSUTF8StringEncoding];
    NSData *encryptionKey = [NSData dataFromBase64String:key];
    NSData *IV = [NSData dataFromBase64String:ENCRYPTION_IV];

    RNCryptorEngine *engine = [[RNCryptorEngine alloc] initWithOperation:kCCEncrypt settings:kRNCryptorAES256Settings key:encryptionKey IV:IV error:error];
    [engine addData:data error:error];
    NSData *encryptedData = [engine finishWithError:error];

    NSString *based64Encrypted = [encryptedData base64EncodedString];
    NSLog(@"Encrytped: %@", based64Encrypted);
    return based64Encrypted;
}
-(NSString*) decryptString:(NSString*)cipherText withKey:(NSString*)key error:(NSError**)error;{
    NSData *data = [NSData dataFromBase64String:cipherText];
    NSData *encryptionKey = [NSData dataFromBase64String:key];
    NSData *IV = [NSData dataFromBase64String:ENCRYPTION_IV];

    RNCryptorEngine *engine = [[RNCryptorEngine alloc] initWithOperation:kCCDecrypt settings:kRNCryptorAES256Settings key:encryptionKey IV:IV error:error];
    [engine addData:data error:error];
    NSData *decryptedData = [engine finishWithError:error];
    NSString *decryptedString = [[NSString alloc] initWithData:decryptedData encoding:NSUTF8StringEncoding];
    NSLog(@"Decrypted: %@", decryptedString);
    return decryptedString;
}

When I use a string like hello world it works fine. When I use a string like {"username":"developer","password":"abcdefG*12"} I imagine it hase something to do with the encoding but I really know what to use.

when I encrypt that string I get a base64 string and when I try to decrypt that I get an empty string.

UPDATE

It looks like it's failing because of the : in the json string. What's weirder is it only fails with the string is in json format, I thought it was the : cause I tried that first but upon further investigation if I broke any of the JSON requirements ,'s {'s }'s it stopped working. It works with the RNEncryptor however so I'm not sure what I'm doing wrong. Either way, I think we may redesign the current flow

UPDATE 2

Here is where I am calling these methods:

NSDictionary *credentials = @{@"username":@"developer",@"password":@"abcdefG*12"};
NSString *jsonString = [ credentials JSONStringWithOptions:JKSerializeOptionNone error:&error];
NSLog(@"json string: %@", jsonString); //OUTPUTS: {"username":"developer","password":"abcdefG*12"}
CCGEncryption *encryptionObject = [[CCGEncryption alloc] init]; //THIS IS THE OBJECT WHERE THE encrypt/decrypt methods are

NSString *encrypted = [encryptionObject encryptString:jsonString withKey:ENCRYPTION_KEY error:&error];
if(error){
    NSLog(@"Error:%@", error); //NO ERROR
}
NSString *decrypted = [encryptionObject decryptString:encrypted withKey:ENCRYPTION_KEY error:&error];
if(error){
    NSLog(@"Error:%@", error);  //NO ERROR
}
NSLog(@"decrypted: %@", decrypted); //OUTPUT: decrypted: 
like image 535
mkral Avatar asked Jan 10 '13 16:01

mkral


1 Answers

You're not collecting the data returned by addData:. The engine encrypts/decrypts as you go so that you don't have to hold the entire plaintext and ciphertext in memory. It doesn't accumulate the data unless it has to (for padding reasons). I suspect that the tests that are working are of different lengths than the ones that aren't.

You are correct that using a fixed IV is bad practice. If you use the same IV and key in multiple messages, then it is possible for attackers to recover parts of your messages by comparing the ciphertexts. If you are using AES-CBC without a random IV and an HMAC, then your AES is insecure in several ways. That is the problem RNCryptor was built to address and why the data format looks the way it does.

@jbtule is correct that I didn't particularly mean for people to use the engine directly and haven't heavily documented it, but there's no problem using it, and I can document it better to support that. That said, the engine itself is insanely simple; I just created it as a way to share code between the encryptor and decryptor. There's not much reason to use RNCryptor if you're going to bypass most of the security it provides. For the above code, it'd be a lot simpler to just call the one-shot CCCrypt().

like image 166
Rob Napier Avatar answered Sep 19 '22 14:09

Rob Napier