During the Enterprise Titanium development cycle, there is often the requirement to encrypt in-process or persisted JavaScript objects or variables. The Securely framework provides a StringCrypto proxy with convenience methods for key generation of AES and DES bi-directional encryption.
This recipe describes how to use the Securely.StringCrypto object to encrypt and decrypt JavaScript objects in a secure manner.
This recipe uses the Securely native module. This module and other code assets can be downloaded from the source provided by the book. Installing these in your project is straightforward. Simply copy the modules folder into the root of your Titanium Project. Please review the Getting ready section of the Using secure properties recipe for instructions on module setup before continuing.
This example is designed to run within the context of a Ti.UI.Window or other component within a single Titanium context. This section demonstrates how to use the StringCrypto method of Securely to encrypt JavaScript objects. For more information, please reference the app.js included with the recipe's source.
Once you have added the Securely module to your project, you need to create your application namespace in the app.js file and use require to import the module into your code as the following code snippet demonstrates:
//Create our application namespace
var my = {
secure : require('bencoding.securely'),
isAndroid : Ti.Platform.osname === 'android'
};Key generation is an important part of cryptography and to assist with this process, Securely has two built-in convenience methods.
The first key generation convenience method is called generateDerivedKey. This method includes the string input provided by the user into the salt algorithm used to determine the key. This approach is helpful if the seed value needs to be known or derived by another accessing system. The following steps demonstrate two common approaches for generating the seed value to be provided to the generateDerivedKey method:
- A common approach is to create a new GUID as the seed from which the key is generated. The following code snippet demonstrates this approach using the
Ti.Platform.createUUIDmethod to generate a GUID:var usingGUID = my.secure.generateDerivedKey(Ti.Platform.createUUID());
- Another, less random method of key generation is to provide the Titanium app GUID as the seed value. The following code snippet demonstrates how to use the
Ti.App.guidto create a derived key using the GUID from your project'stiapp.xmlfile.var usingAppID = my.secure.generateDerivedKey(Ti.App.guid);
The second key generation convenience method is called generateRandomKey. As its name indicates, a random alphanumeric string is generated and used as the seed value. The following code snippet demonstrates how to create a key value using the generateRandomKey method.
var randomKey = my.secure.generateRandomKey();
Securely supports the older Data Encryption Standard (DES) encryption algorithm. Support for this algorithm is primarily provided for intercommunication with legacy systems. Wherever possible, the stronger AES encryption should be used instead.
The DESEncrypt method requires a key and a string to encrypt. This method will then return a DES encrypted string. If an error is generated during the encryption process a null value is returned. The following demonstrates how to encrypt both a JavaScript string and object using this method.
var desEncryptedString = stringCrypto.DESEncrypt (usingGUID, plainTextString); var desEncryptedObject = stringCrypto.DESEncrypt (usingGUID, JSON.stringify(plainObject));
Any non-JavaScript string elements must first be converted into a JavaScript string before being provided to the DESEncrypt function.
The DESDecrypt method is used to decrypt a string encrypted with the DES algorithm. This method requires the key and a string with the encrypted value. The DESDecrypt method will then return a string with the decrypted value. The following snippet demonstrates how to use the DESDecrypt method to decrypt both a string and object.
var desDecryptedString = stringCrypto.DESDecrypt (usingGUID, desEncryptedString);
The following code snippet demonstrates how to use JSON.parse to re-build the JavaScript object from the decrypted JSON string.
var desDecryptedObject = JSON.parse (stringCrypto.DESDecrypt(usingGUID, desEncryptedObject));
The AESEncrypt method requires a key and a string to encrypt. This method will then return an AES-encrypted string. If an error is generated during the encryption process, a null value is returned. The following code snippet demonstrates how to encrypt both a JavaScript string and object using this method.
var aesEncryptedString = stringCrypto.AESEncrypt (usingGUID, plainTextString); var aesEncryptedObject = stringCrypto.AESEncrypt (usingGUID, JSON.stringify(plainObject));
The AESDecrypt method is used to decrypt a string encrypted with the AES algorithm. This method requires the key and a string with the encrypted value. The AESDecrypt method will then return a string with the decrypted value. The following code snippet demonstrates how to use the AESDecrypt method to decrypt both a string and an object.
var aesDecryptedString = stringCrypto.AESDecrypt (usingGUID, aesEncryptedString);
The following code snippet demonstrates how to use JSON.parse to rebuild the JavaScript object from the decrypted JSON string.
var aesDecryptedObject = JSON.parse (stringCrypto.AESDecrypt(usingGUID, aesEncryptedObject));
Titanium SDK objects such as Ti.UI.View are not real JavaScript objects, and therefore, cannot be serialized and encrypted effectively. To encrypt Titanium objects, you must first copy all of the Titanium object's properties into a pure JavaScript object and then convert the JavaScript object to a JSON string as shown earlier. During the decryption process, the reverse approach can be taken to recreate the Titanium object.
- This recipe uses the
Securelymodule, for installation details please review the Getting ready section of the Using secure properties recipe - To learn more about DES encryption, please review processing standards publication published by the National Institute of Standards and Technology (NIST) available at http://www.itl.nist.gov/fipspubs/fip46-2.htm
- To learn more about AES encryption, please review processing standards publication published by the NIST available at http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
- To learn more about Cryptographic Services used in the iOS implementation, please review Apples documentation available at https://developer.apple.com/library/mac/#documentation/security/Conceptual/cryptoservices/Introduction/Introduction.html#//apple_ref/doc/uid/TP40011172-CH1-SW1
- To learn more about Cryptographic Ciphers used in the Android implementation, please review the Android documentation available at http://developer.android.com/reference/javax/crypto/Cipher.html