User Rating 0.0 ★★★★★

Total Usage 0 times

Category Security

AES Mode

Key Size

Key Input Type

Ciphertext Format

Decryption Key

Expected length depends on key size and format

PBKDF2 Salt (hex)

IV / Nonce (16 bytes hex)

CBC/CTR: 16 bytes, GCM: 12 bytes

Ciphertext For GCM, include the authentication tag appended to the ciphertext

Output As

Decrypted Output

Is this tool helpful?

Your feedback helps us improve.

★ ★ ★ ★ ★

About

AES (Advanced Encryption Standard) operates on fixed block sizes of 128 bits with key lengths of 128, 192, or 256 bits. Incorrect decryption parameters - wrong mode, mismatched IV, or truncated ciphertext - produce garbage output or silent data corruption. This tool performs real AES decryption via the browser's native Web Crypto API, not a simulation. It supports CBC (requires PKCS#7 padding), GCM (authenticated encryption with a 128-bit tag), and CTR (stream cipher mode with a counter nonce). Limitation: passphrase-based key derivation uses PBKDF2 with 100000 iterations of SHA-256. If the original encryption used a different KDF (scrypt, Argon2), you must supply the raw key directly.

Feeding a GCM ciphertext to CBC mode will fail silently or throw an authentication error. Always verify the mode and key size match the encryption parameters. The IV (Initialization Vector) must be exactly 16 bytes for CBC and CTR, and 12 bytes for GCM. This tool validates these constraints before attempting decryption. Pro tip: if you receive ciphertext as a single blob, the IV is often prepended - check with the sender for the exact format.

Formulas

AES decryption reverses the encryption transformation. For a ciphertext block C with key K, the plaintext P is recovered as:

P = AES⁻¹_K(C)

In CBC mode, each plaintext block depends on the previous ciphertext block:

P_i = AES⁻¹_K(C_i) ⊕ C_i−1

Where C₀ = IV (Initialization Vector) and ⊕ denotes bitwise XOR.

For PBKDF2 key derivation from a passphrase:

DK = PBKDF2(passphrase, salt, iterations, keyLen)

Where DK is the derived key, iterations = 100000, and keyLen ∈ {128, 192, 256} bits. The salt must be provided and match the value used during encryption.

Reference Data

AES Mode	IV/Nonce Size	Auth Tag	Padding	Use Case	Security Level
CBC	16 bytes (128 bits)	None	PKCS#7	File encryption, TLS 1.2	Secure (with HMAC)
GCM	12 bytes (96 bits)	128 bits	None (stream)	TLS 1.3, API encryption	Authenticated
CTR	16 bytes (128 bits)	None	None (stream)	Disk encryption, custom protocols	Secure (with MAC)
ECB	None	None	PKCS#7	Legacy systems	Weak (pattern leakage)
Key Size Reference
AES-128	16 bytes key		10 rounds		Standard
AES-192	24 bytes key		12 rounds		High
AES-256	32 bytes key		14 rounds		Maximum
PBKDF2 Parameters
Hash	SHA-256		Iterations: 100000		NIST SP 800-132
Salt	16 bytes min		Random, unique per key		Required
Common Encoding Formats
Hex	Characters: 0-9, a-f. Length = 2 × byte count				Human-readable
Base64	Characters: A-Z, a-z, 0-9, +, /. Padding: =				Compact

Frequently Asked Questions

CBC and CTR modes require an IV of exactly 16 bytes (128 bits). GCM requires a 12-byte (96-bit) nonce. If the IV length is incorrect, the Web Crypto API will reject the operation with a parameter error. This tool validates IV length before attempting decryption and reports the exact mismatch.

In AES-GCM, the last 16 bytes of the ciphertext typically contain the authentication tag. During decryption, the Web Crypto API verifies this tag against the computed value. If the ciphertext has been tampered with, or the wrong key/IV is used, decryption fails with an "OperationError" rather than producing corrupt plaintext. This tool expects the tag to be appended to the ciphertext.

OpenSSL's enc command prepends an 8-byte "Salted__" header followed by an 8-byte salt, then the ciphertext. This tool supports raw key+IV input. To decrypt OpenSSL output, you need to extract the salt, derive the key and IV using OpenSSL's EVP_BytesToKey (MD5-based by default), then provide those values here. Direct OpenSSL format parsing is not automated because EVP_BytesToKey is a non-standard KDF.

This occurs when the key or IV is technically valid (correct length) but does not match the values used for encryption. AES will still produce output bytes - they will simply be meaningless. In CBC mode, incorrect padding detection may catch some cases. In CTR mode, there is no padding check, so any key produces output. Always verify key and IV match the encryption parameters exactly.

The Web Crypto API processes data in memory. Practical limits depend on browser tab memory (typically 1-4 GB). For text-mode input, expect reliable decryption up to approximately 10 MB of ciphertext. For very large files, the operation may cause the browser tab to become unresponsive. This tool is designed for message-level decryption, not multi-gigabyte file processing.

Yes. PBKDF2 without a salt is cryptographically weakened and vulnerable to rainbow table attacks. This tool requires a salt (hex or Base64 encoded) when using passphrase mode. The salt must match the one used during encryption. If the encryption system did not use a salt, enter an empty field - the tool will use an empty ArrayBuffer, but this is not recommended.