iv missing on new plugin Cryptography AES GCM

0 favourites
  • 12 posts
From the Asset Store
Kids Game
$49 USD
New Sounds Added Update: 115 new sound effects added for no additional cost!
  • im trying to use the new cryptography plugin combined with a web page, i send the encrypted data (i know is not completly secure but is enough for us) but to decrypt on the other side using AESGCM i need the iv (initialization vector) and the encription tag, but on the plugin that is not added and i can't configure it so i can't decrypt on the web backend.

    is there a way to obtain or configure the iv? is the encription tag the same as the tag used to identify it is complete on the editor?

    Tagged:

  • It's sent along with the encrypted data. But you shouldn't need to do that. Use a HTTPS connection and everything you send to the server is already encrypted.

  • It's sent along with the encrypted data. But you shouldn't need to do that. Use a HTTPS connection and everything you send to the server is already encrypted.

    ok, but how do i obtain the iv? how is it diferentiated on the encrypted data? is separated by something?

  • The encrypted data is actually a binary structure which includes some metadata at the start including the iv. But my point in this case, you don't need to worry about any of that, as if you just use HTTPS it's all encrypted anyway.

  • yes but any way how can i get that metadata if i want to use it? let's say im using this encryption to play with a different app that wasn't made in construct.

    How can i get the iv?

  • The encrypted data is actually a binary structure which includes some metadata at the start including the iv. But my point in this case, you don't need to worry about any of that, as if you just use HTTPS it's all encrypted anyway.

    Ashley regardless the https, how to know about that metadata to be able to use the encrypted message in other places? there is no information about that on the documents.

  • You need more than just the iv to be able to decrypt the data. I added the encrypted binary data format to the Cryptography plugin manual entry which should cover everything you need to interoperate with other code and services.

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads
  • excellent :D we ended up using javascript for it but for future projects will help a lot for using it.

  • I'm having a similar problem.

    I want to send information to a PHP via AJAX POST and I want to encrypt the parameters I'm sending in the query string.

    I'm being able to encrypt using the cryptography plugin, but I cant find a tool using AES-GCM outside Construct 3 that will decrypt it.

    I read the manual and the addition Ashley posted:

    Bytes Description

    0-1 Reserved (must be 0)

    1-17 Salt (16 bytes)

    17-29 Initialization vector (aka IV, 12 bytes)

    29-33 Iterations (uint32, 4 bytes)

    33+ Encrypted data payload

    However it is of no much use as there is no way to define these parameters beforehand and after the encrypted string is generated, all the metadata is already encrypted except for the password.

    Is there any way I can encrypt in C3 and decrypt serverside defining only password?

  • You're wasting your time. Just use a HTTPS connection and everything is automatically encrypted on transmission and decrypted when received by the server. The Cryptography manual entry has a section on that ("HTTPS is already encrypted").

  • Ashley can you give me an axample as how to post and get data using ajax wihtout the parameters being visible using developer tools? I understand HTTPS encrypts and decrypts, but the parameters (with my "confidential" values) are still visible.

    That is why I'm still trying to send encrypted parameters to my PHP using the cryptography tool and still have the same problem of not being ale to decrypt them in backend with the provided documentation.

    Thanks!

  • I don't see how that improves security at all, though. Even if you encrypt values on the client, the client can still see them before they get encrypted. So you are not hiding anything from the client.

    Once the request goes over the network using HTTPS, then everything is encrypted. Usually the main concern is: can someone else on the network intercept and read the traffic? With HTTPS the answer is no. Adding extra encryption to the URL or request data does not affect that answer.

Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)