Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Node v8.9.0 how to rewrite crypto.createCipher to crypto.createCipheriv? #949

Closed
ronovar opened this issue Nov 4, 2017 · 6 comments
Closed

Comments

@ronovar
Copy link

ronovar commented Nov 4, 2017

Before Node v8.9.0 i was using this code:

/**

DEFINE

@Encrypt
/
function encrypt(text, password){
/ GET - crypted */
try {
var cipher = crypto.createCipher(algorithm, password),
crypted = cipher.update(text,'utf8','hex');

 crypted += cipher.final('hex');
 return crypted;
} catch(e) { return }
}

/**

DEFINE

@decrypt
/
function decrypt(text, password){
/ GET - decipher */
try {
var decipher = crypto.createDecipher(algorithm, password);
var dec = decipher.update(text,'hex','utf8');

 dec += decipher.final('utf8');
 return dec;
} catch (e) { return }
}

This code works great in previus version...now i upgrade to Node v8.9.0 on ubuntu 14.04 and i get warnings to not to use crypto.createCipher and to use crypto.createCipheriv so could please some expirienced rewrite above code to use crypto.createCipheriv ? i read Node documnetation and i see that i need to add at the end of crypto.createCipheriv IV parameter - Initialization Vector...but i don't know how to define it what value it needs to hold and so on. Above posted code works but it needs to be rewriten to use crypto.createDecipheriv so that i can use my application.js under new Node v8,9,0.

Thanks

@bnoordhuis
Copy link
Member

Link-back to nodejs/node#16746 and see nodejs/node#13801. If you were using counter mode (CTR) for encryption, then your data is compromised because of the fixed IV.

If you don't know what an IV is, or don't know what acceptable values for an IV are, then you should educate yourself on that subject first. This forum is not the right place for that because it's a complex and subtle subject matter. The best advice I can give you is to buy a good book on cryptography.

@ronovar
Copy link
Author

ronovar commented Nov 4, 2017

Thanks this is good way you say...but i im in but hurry to publish project application.js and have no time to study cryptography...i need basic solution using crypto.createCipheriv and using as you say fixed IV so how to use fixed IV?

@bnoordhuis
Copy link
Member

I mean this in the nicest way possible but cryptography is something that, if you don't know what you're doing, you shouldn't be doing.

In your particular case you could simply skip encryption altogether because AES-CTR with a fixed IV offers no security whatsoever.

@ronovar
Copy link
Author

ronovar commented Nov 5, 2017

Thanks i rewrite minor changes of my above functions and use aes-128-cbc algorithm and fixed IV value and now encrypting and decrypting works....now i have another problem that i can't figure out...in previus release of node v7.1.0 i was successfully using REST API---after upgrade to Node v8.9.0 i get error 404 not found and when calling api:

http://192.168.1.5:8080/api/server_status i get this:

Cannot GET /api/server_status

So question is if Node v8.9.0 changed some mechanism of using previus code of REST API? In previus node same REST API code works.

this is my short code of using REST API and express framework:

var express = require('express'),
panel = express(),
stream = express(),
apiRoutes = express.Router();

panel.use('/api', apiRoutes);

apiRoutes.post('/server_status', function(req, res) {
console.log('Hello from server_status...');
res.end();
})

panel.listen('8080');

@bnoordhuis
Copy link
Member

CBC is a step up but be aware it's vulnerable to padding attacks if not used properly.

@ronovar
Copy link
Author

ronovar commented Nov 5, 2017

Ok i im aware....for more secure algorithm i need to study cryptography and i will do this later..for now is important that secret data is encrypted and safe...

Do you have any idea what would be a problem that my REST API routes does not work? If i go back to Node v7.1.0 it works and on v8.9.0 it does not..could you make on your node server side small demo of REST API and see if it working by you? I think something changed in node v8.9.0 and REST API must be used different?

@ronovar ronovar closed this as completed Nov 7, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants