Forem: Thomas Dudek The latest articles on Forem by Thomas Dudek (@tdudek). https://forem.com/tdudek https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F342468%2F0b46b0f1-3a62-4cd1-b174-bfa8dfa24a9d.jpeg Forem: Thomas Dudek https://forem.com/tdudek en The Ultimate Developer’s Guide to AES-GCM: Encrypt and Decrypt with JavaScript and the Web Cryptography API Thomas Dudek Thu, 02 May 2024 21:08:33 +0000 https://forem.com/tdudek/the-ultimate-developers-guide-to-aes-gcm-encrypt-and-decrypt-with-javascript-and-the-web-cryptography-api-3a87 https://forem.com/tdudek/the-ultimate-developers-guide-to-aes-gcm-encrypt-and-decrypt-with-javascript-and-the-web-cryptography-api-3a87 <p>Hey developers 👋,</p> <p>ever wondered about how secure your application really is? This guide will show you how to leverage the <a href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API">Web Cryptography API</a> to protect your data effectively, focusing on AES-GCM encryption. We'll break down the essentials of key management, encryption processes, and integrity checks, giving you a straightforward path to robust data security.<br> Ready to elevate your security approach? Let's dive in.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdx4kc0lfse1p0audbo4l.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdx4kc0lfse1p0audbo4l.png" alt="How it works" width="800" height="366"></a></p> <p>We will use the <strong>Web Cryptography API</strong> because it provides secure, standards-based methods for generating keys, hashing, signing, encrypting and decrypting data <strong>built directly into browsers</strong>. This enables a wide range of cryptographic operations that are essential for modern web applications.<br> For the encryption algorithm, we'll use AES-GCM, which is known for its efficiency and security.</p> <p><strong>AES-GCM (Advanced Encryption Standard - Galois/Counter Mode)</strong> is a symmetric key encryption algorithm that inherently requires a key to encrypt and decrypt data. The key could technically be any string. However, for enhanced security and to ensure data is secured with an additional password, we use <strong>PBKDF2 (Password-Based Key Derivation Function 2)</strong> for key derivation. PBKDF2 takes a password as input and produces a cryptographic key. It incorporates a salt to prevent rainbow table attacks and can perform many iterations to increase the computation time, thereby enhancing resistance against brute-force attacks.</p> <h2> Understanding Encryption: How It All Works </h2> <p>Before we deep dive into each component, let's look at the process shown above and summarize the relevant components involved in securing data:</p> <h3> Key Derivation </h3> <p>Directly using user passwords as encryption keys is not advisable due to their predictability and vulnerability to being guessed or cracked through brute-force attacks. Instead, we use a key derivation process to transform these potentially weak passwords into strong, cryptographic keys.</p> <ul> <li> <strong>Password:</strong> Used as input for PBKDF2. Typically, user passwords may not be complex or random enough to serve as strong keys on their own. They often contain predictable patterns or are reused across different services, making them susceptible to attacks.</li> <li> <strong>Salt:</strong> Used as input for PBKDF2. The salt is a random value added to the password before key derivation. The salt ensures that even if two users have the same password, their derived keys will be different. It also protects against precomputed attacks, such as rainbow table attacks, where attackers use pre-generated hashes to crack passwords quickly.</li> <li> <strong>PBKDF2:</strong> This key derivation function is specifically designed to make deriving the key from the password computationally expensive and time-consuming. By incorporating the salt and performing many iterations, PBKDF2 effectively protects from brute-force and other speed-based cracking attempts. The use of a hashing function like SHA-256 within PBKDF2 also ensures the integrity and randomness of the derived key.</li> <li> <strong>Encryption Key:</strong> The result of the key derivation process, used to encrypt the plaintext data. This key is significantly harder to reverse-engineer or guess compared to the original user password.</li> </ul> <h3> Encryption </h3> <p>With a robust encryption key in hand from our key derivation process, we move on to the encryption phase where this key is used to secure our data.</p> <ul> <li> <strong>Plaintext Data:</strong> The original data that needs to be encrypted. This data is combined with the encryption key to ensure it remains confidential.</li> <li> <strong>Initialization Vector (IV):</strong> A unique sequence used for each encryption operation to ensure that identical plaintext results in different ciphertexts every time.</li> <li> <strong>AES-GCM:</strong> This is the encryption algorithm we use.</li> <li> <strong>Encrypted Data (Ciphertext):</strong> The output of the encryption process, representing the encrypted version of the plaintext.</li> <li> <strong>Authentication Tag</strong>: Generated during the encryption, this tag helps verify the integrity and authenticity of the data upon decryption, ensuring the data has not been tampered with during transmission or storage.</li> </ul> <p>Now, with a clear understanding of what each component does and how they interact, we can walk each step in more detail to understand their roles in the encryption and decryption processes.</p> <h2> How to create a secure Encryption Key? </h2> <p>The secure cryptographic key generation starts with the user's password, processed through the PBKDF2 algorithm using SHA-256 hashing. This method enhances security by deterring brute-force attacks through computationally intensive operations and requires two steps:</p> <h3> Salt Generation </h3> <p>We use a cryptographically secure random number generator from the Web Cryptography API to create a random salt. This ensures that identical passwords do not produce the same encryption key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">salt</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">16</span><span class="p">));</span> <span class="c1">// 128-bit salt</span> </code></pre> </div> <p>A 128-bit salt provides a high level of randomness, which is crucial for ensuring that each derived key is unique. With 2^128 possible combinations, the likelihood that two salts are the same is extremely low, even across millions of encryption instances. While providing robust security, a 128-bit salt also balances performance. It doesn't significantly slow down the key derivation process but offers enough complexity to provide security against most attack vectors.</p> <h3> Key Derivation </h3> <p>First, we need to prepare the user's password for cryptographic use by converting it into a format suitable for key derivation. We achieve this using the <code>importKey()</code> function from the Web Cryptography API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">baseKey</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">window</span><span class="p">.</span><span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">importKey</span><span class="p">(</span> <span class="dl">"</span><span class="s2">raw</span><span class="dl">"</span><span class="p">,</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">().</span><span class="nf">encode</span><span class="p">(</span><span class="nx">password</span><span class="p">),</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">PBKDF2</span><span class="dl">"</span> <span class="p">},</span> <span class="kc">false</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">deriveKey</span><span class="dl">"</span><span class="p">],</span> <span class="p">);</span> </code></pre> </div> <p>Now, we apply the PBKDF2 function to the base key to obtain the final encryption key. This step uses the provided salt, iteration count, and hash function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">derivedKey</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">deriveKey</span><span class="p">(</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">PBKDF2</span><span class="dl">"</span><span class="p">,</span> <span class="nx">salt</span><span class="p">,</span> <span class="na">iterations</span><span class="p">:</span> <span class="mi">600000</span><span class="p">,</span> <span class="na">hash</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SHA-256</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="nx">baseKey</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AES-GCM</span><span class="dl">"</span><span class="p">,</span> <span class="na">length</span><span class="p">:</span> <span class="mi">256</span> <span class="p">},</span> <span class="kc">true</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">encrypt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">decrypt</span><span class="dl">"</span><span class="p">],</span> <span class="p">);</span> </code></pre> </div> <p>Using 600,000 iterations for key derivation in PBKDF2 is recommended by NIST to balance security and performance. This high number of iterations increases the computational effort required, making brute-force attacks more difficult and time-consuming by modern hardware, which can quickly process lower iterations.</p> <h2> How to encrypt data with AES-GCM? </h2> <p>When it comes to encrypting data with AES-GCM, there are essential steps to follow:</p> <ol> <li> <strong>Key Importation:</strong> This step prepares the derived encryption key for use in encryption operations, ensuring that the cryptographic process can securely access and utilize the key.</li> <li> <strong>Initialization Vector Generation:</strong> To ensure each encryption operation's uniqueness and security, we generate the Initialization Vector (IV) using a secure random number generator.</li> <li> <strong>Data Encryption:</strong> Once we have the key prepared, we can proceed with encrypting the data. This involves specifying the Initialization Vector (IV) and the length of the authentication tag. This encryption process not only secures the data but also generates an authentication tag, which is required for verifying data integrity and authenticity upon decryption.</li> </ol> <h3> Initialization Vector (IV) </h3> <p>We generate a 12-byte Initialization Vector (IV) using a secure random number generator. This method ensures that each encryption session starts with a fresh, secure IV.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">iv</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">12</span><span class="p">));</span> <span class="c1">// optimal length for AES-GCM</span> </code></pre> </div> <p>Here's why a 12-byte IV is optimal:</p> <ul> <li> <strong>Alignment with AES Block Size:</strong> This size directly aligns with AES's block size, simplifying the encryption process by eliminating the need for additional hashing or padding.</li> <li> <strong>Enhanced Security and Efficiency:</strong> The 12-byte length helps avoiding IV reuse, relevant for maintaining data confidentiality and integrity. It allows AES-GCM to use the IV as the initial counter block, streamlining encryption operations.</li> <li> <strong>Compliance with NIST Recommendations:</strong> According to NIST, a 12-byte IV is recommended for balancing security with performance, suitable for up to (2^{32}) encryptions with the same key.</li> </ul> <h3> Encrypting the Data </h3> <p>Once the encryption key is prepared and the Initialization Vector (IV) is generated, we're ready to encrypt the data. This process involves transforming the plaintext data into ciphertext using the AES-GCM encryption algorithm.<br> By specifying the IV and the desired tag length, we ensure both confidentiality and integrity of the encrypted data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">deriveKey</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">salt</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">encrypted</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">window</span><span class="p">.</span><span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AES-GCM</span><span class="dl">"</span><span class="p">,</span> <span class="nx">iv</span><span class="p">,</span> <span class="na">tagLength</span><span class="p">:</span> <span class="mi">128</span> <span class="p">},</span> <span class="nx">key</span><span class="p">,</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">().</span><span class="nf">encode</span><span class="p">(</span><span class="nx">data</span><span class="p">),</span> <span class="p">);</span> </code></pre> </div> <h3> Extracting the Authentication Tag </h3> <p>When encrypting data using the Web Cryptography API, the output of the encryption process contains both the ciphertext and the authentication tag combined. This means that upon encryption, the resulting encrypted value already includes the authentication tag.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">ciphertext</span> <span class="o">=</span> <span class="nx">encrypted</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nx">encrypted</span><span class="p">.</span><span class="nx">byteLength</span> <span class="o">-</span> <span class="mi">16</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">authTag</span> <span class="o">=</span> <span class="nx">encrypted</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="nx">encrypted</span><span class="p">.</span><span class="nx">byteLength</span> <span class="o">-</span> <span class="mi">16</span><span class="p">);</span> </code></pre> </div> <p>Extracting the authentication tag is especially recommended when using encryption in environments with different technology stacks and polyglot setups. For instance, in Node.js's crypto module, the authentication tag is handled separately from the ciphertext: <code>const cipher = createCipheriv("aes-256-gcm", encryptionKey, iv); /* ... */ cipher.getAuthTag()</code>, unlike some other environments where it might be automatically appended to the output. Manually extracting the tag ensures compatibility across different cryptographic libraries and frameworks, allowing for more control over how encryption is implemented and verified.</p> <h2> How to decrypt the data with AES-GCM? </h2> <p>Once our data is securely encrypted, our next step is to unlock it and retrieve the original information. The decryption process reverses the encryption steps, using the same key, IV, and authentication tag to ensure the data's integrity has not been compromised.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// re-derive the key from the password and salt used during encryption</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">deriveKey</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">salt</span><span class="p">);</span> <span class="c1">// re-combine the ciphertext and the authentication tag</span> <span class="kd">const</span> <span class="nx">encryptedContent</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="nx">ciphertext</span><span class="p">.</span><span class="nx">length</span> <span class="o">+</span> <span class="nx">authTag</span><span class="p">.</span><span class="nx">length</span><span class="p">);</span> <span class="nx">encryptedContent</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">ciphertext</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="nx">encryptedContent</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">authTag</span><span class="p">,</span> <span class="nx">ciphertext</span><span class="p">.</span><span class="nx">length</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">decryptedContent</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">window</span><span class="p">.</span><span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">decrypt</span><span class="p">(</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AES-GCM</span><span class="dl">"</span><span class="p">,</span> <span class="nx">iv</span><span class="p">,</span> <span class="na">tagLength</span><span class="p">:</span> <span class="mi">128</span> <span class="p">},</span> <span class="nx">key</span><span class="p">,</span> <span class="nx">encryptedContent</span><span class="p">,</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">decryptedData</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TextDecoder</span><span class="p">().</span><span class="nf">decode</span><span class="p">(</span><span class="nx">decryptedContent</span><span class="p">);</span> </code></pre> </div> <p>This function retrieves the original plaintext data securely and confirms that the data's integrity has not been compromised by verifying the authentication tag before decryption.</p> <h2> Full Code Example: AES-GCM encryption and decryption </h2> <p>Here's a complete example demonstrating the AES-GCM encryption and decryption process using the Web Cryptography API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">deriveKey</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">salt</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">encodedPassword</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">().</span><span class="nf">encode</span><span class="p">(</span><span class="nx">password</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">baseKey</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">window</span><span class="p">.</span><span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">importKey</span><span class="p">(</span> <span class="dl">"</span><span class="s2">raw</span><span class="dl">"</span><span class="p">,</span> <span class="nx">encodedPassword</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">PBKDF2</span><span class="dl">"</span> <span class="p">},</span> <span class="kc">false</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">deriveKey</span><span class="dl">"</span><span class="p">],</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">derivedKey</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">window</span><span class="p">.</span><span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">deriveKey</span><span class="p">(</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">PBKDF2</span><span class="dl">"</span><span class="p">,</span> <span class="na">salt</span><span class="p">:</span> <span class="nx">salt</span><span class="p">,</span> <span class="na">iterations</span><span class="p">:</span> <span class="mi">600000</span><span class="p">,</span> <span class="na">hash</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SHA-256</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="nx">baseKey</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AES-GCM</span><span class="dl">"</span><span class="p">,</span> <span class="na">length</span><span class="p">:</span> <span class="mi">256</span> <span class="p">},</span> <span class="kc">true</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">encrypt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">decrypt</span><span class="dl">"</span><span class="p">],</span> <span class="p">);</span> <span class="k">return</span> <span class="nx">derivedKey</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">encryptData</span><span class="p">(</span><span class="nx">data</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">salt</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">16</span><span class="p">));</span> <span class="c1">// 128-bit salt</span> <span class="kd">const</span> <span class="nx">iv</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">12</span><span class="p">));</span> <span class="c1">// 12 bytes for AES-GCM</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">deriveKey</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">salt</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">encodedData</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">().</span><span class="nf">encode</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">encryptedContent</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">window</span><span class="p">.</span><span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AES-GCM</span><span class="dl">"</span><span class="p">,</span> <span class="na">iv</span><span class="p">:</span> <span class="nx">iv</span><span class="p">,</span> <span class="na">tagLength</span><span class="p">:</span> <span class="mi">128</span><span class="p">,</span> <span class="c1">// 128-bit tag length</span> <span class="p">},</span> <span class="nx">key</span><span class="p">,</span> <span class="nx">encodedData</span><span class="p">,</span> <span class="p">);</span> <span class="c1">// extract the ciphertext and authentication tag</span> <span class="kd">const</span> <span class="nx">ciphertext</span> <span class="o">=</span> <span class="nx">encryptedContent</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span> <span class="mi">0</span><span class="p">,</span> <span class="nx">encryptedContent</span><span class="p">.</span><span class="nx">byteLength</span> <span class="o">-</span> <span class="mi">16</span><span class="p">,</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">authTag</span> <span class="o">=</span> <span class="nx">encryptedContent</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="nx">encryptedContent</span><span class="p">.</span><span class="nx">byteLength</span> <span class="o">-</span> <span class="mi">16</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ciphertext</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="nx">ciphertext</span><span class="p">),</span> <span class="na">iv</span><span class="p">:</span> <span class="nx">iv</span><span class="p">,</span> <span class="na">authTag</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="nx">authTag</span><span class="p">),</span> <span class="na">salt</span><span class="p">:</span> <span class="nx">salt</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">decryptData</span><span class="p">(</span><span class="nx">encryptedData</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">ciphertext</span><span class="p">,</span> <span class="nx">iv</span><span class="p">,</span> <span class="nx">authTag</span><span class="p">,</span> <span class="nx">salt</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">encryptedData</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">deriveKey</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">salt</span><span class="p">);</span> <span class="c1">// re-combine the ciphertext and the authentication tag</span> <span class="kd">const</span> <span class="nx">dataWithAuthTag</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="nx">ciphertext</span><span class="p">.</span><span class="nx">length</span> <span class="o">+</span> <span class="nx">authTag</span><span class="p">.</span><span class="nx">length</span><span class="p">);</span> <span class="nx">dataWithAuthTag</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">ciphertext</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="nx">dataWithAuthTag</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">authTag</span><span class="p">,</span> <span class="nx">ciphertext</span><span class="p">.</span><span class="nx">length</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">decryptedContent</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">window</span><span class="p">.</span><span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">decrypt</span><span class="p">(</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AES-GCM</span><span class="dl">"</span><span class="p">,</span> <span class="na">iv</span><span class="p">:</span> <span class="nx">iv</span><span class="p">,</span> <span class="na">tagLength</span><span class="p">:</span> <span class="mi">128</span> <span class="p">},</span> <span class="nx">key</span><span class="p">,</span> <span class="nx">dataWithAuthTag</span><span class="p">,</span> <span class="p">);</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">TextDecoder</span><span class="p">().</span><span class="nf">decode</span><span class="p">(</span><span class="nx">decryptedContent</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Example usage</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Hello, world!</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">password</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">securePassword123</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">encryptedData</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">encryptData</span><span class="p">(</span><span class="nx">data</span><span class="p">,</span> <span class="nx">password</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Encrypted Data:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">encryptedData</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">decryptedData</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">decryptData</span><span class="p">(</span><span class="nx">encryptedData</span><span class="p">,</span> <span class="nx">password</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Decrypted Data:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">decryptedData</span><span class="p">);</span> </code></pre> </div> <h2> Best Practices for Storage and Transmission </h2> <ol> <li><p><strong>Ciphertext</strong>: This is the encrypted version of your plaintext data.<br><br> ✅ Can be stored or transmitted publicly as it requires the corresponding decryption key to unlock, making it meaningless without access to that key.</p></li> <li><p><strong>Initialization Vector (IV)</strong>: Used to ensure that identical plaintext encrypts to different ciphertext under the same key.<br><br> ✅ Can be stored or transmitted alongside the ciphertext. The IV does not need to be kept secret as its sole purpose is to provide cryptographic randomness and prevent repeatable patterns in the encryption.</p></li> <li><p><strong>Salt</strong>: Used in the key derivation process to prevent the generation of identical keys from the same password.<br><br> ✅ Like the IV, the salt can be stored or transmitted publicly. It is not sensitive but is essential for deriving the same encryption key during the decryption process.</p></li> <li><p><strong>Authentication Tag</strong>: Provides a way to verify the integrity and authenticity of the encrypted data when decrypting.<br><br> ✅ Should be stored or transmitted with the ciphertext. While it does not compromise the security of the ciphertext if exposed, its integrity verification purpose requires it to accompany the ciphertext.</p></li> <li><p><strong>Encryption Key</strong>: The key derived from the password that is used to encrypt and decrypt data.<br><br> ⚠️ <em><u>Should never be stored or transmitted alongside the ciphertext.</u></em> The security of the encrypted data relies on the secrecy and security of this key. It must be protected and managed with strong security measures, typically kept in secure storage accessible only to authorized systems or personnel.</p></li> </ol> <h2> Browser Compatibility </h2> <p>The Web Cryptography API is supported in the following browsers:</p> <ul> <li>Google Chrome 37+</li> <li>Mozilla Firefox 34</li> <li>Internet Explorer 11+</li> <li>Microsoft Edge 12+</li> <li>Safari 10.1+</li> </ul> <h2> Conclusion </h2> <p>Using AES-GCM for encryption and decryption with the Web Cryptography API provides a robust framework for securing data. This guide has detailed the steps for encrypting data securely and decrypting it to ensure integrity, showcasing the necessity of handling encryption components like the authentication tag with care. By following these procedures, developers can protect sensitive information effectively in a variety of technical environments.</p> <h2> Resources </h2> <ul> <li><a href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API">Web Cryptography API</a></li> <li><a href="https://www.crypto101.io/">Crypto 101 Course</a></li> </ul> <h2> Try It Out </h2> <p>Curious to see how this encryption is used in practice? We use AES-GCM with PBKDF2 to create one-time links to securly share data encrypted within the browser before sending it over the wire.</p> <p><a href="https://www.sharesecure.link"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw485cm67tgawgb22zozc.png" alt="ShareSecure" width="800" height="391"></a></p> <p>Go ahead and create your first secret link: <a href="https://www.sharesecure.link">https://www.sharesecure.link</a></p> javascript security webdev