Node v8.9.0 how to rewrite crypto.createCipher to crypto.createCipheriv?

[ronovar]

Before Node v8.9.0 i was using this code:

/**

DEFINE

@Encrypt
/
function encrypt(text, password){
/ GET - crypted */
try {
var cipher = crypto.createCipher(algorithm, password),
crypted = cipher.update(text,'utf8','hex');

 crypted += cipher.final('hex');
 return crypted;
} catch(e) { return }
}

/**

DEFINE

@decrypt
/
function decrypt(text, password){
/ GET - decipher */
try {
var decipher = crypto.createDecipher(algorithm, password);
var dec = decipher.update(text,'hex','utf8');

 dec += decipher.final('utf8');
 return dec;
} catch (e) { return }
}

This code works great in previus version...now i upgrade to Node v8.9.0 on ubuntu 14.04 and i get warnings to not to use crypto.createCipher and to use crypto.createCipheriv so could please some expirienced rewrite above code to use crypto.createCipheriv ? i read Node documnetation and i see that i need to add at the end of crypto.createCipheriv IV parameter - Initialization Vector...but i don't know how to define it what value it needs to hold and so on. Above posted code works but it needs to be rewriten to use crypto.createDecipheriv so that i can use my application.js under new Node v8,9,0.

Thanks

[bnoordhuis]

Link-back to nodejs/node#16746 and see nodejs/node#13801. If you were using counter mode (CTR) for encryption, then your data is compromised because of the fixed IV.

If you don't know what an IV is, or don't know what acceptable values for an IV are, then you should educate yourself on that subject first. This forum is not the right place for that because it's a complex and subtle subject matter. The best advice I can give you is to buy a good book on cryptography.

[ronovar]

Thanks this is good way you say...but i im in but hurry to publish project application.js and have no time to study cryptography...i need basic solution using crypto.createCipheriv and using as you say fixed IV so how to use fixed IV?

[bnoordhuis]

I mean this in the nicest way possible but cryptography is something that, if you don't know what you're doing, you shouldn't be doing.

In your particular case you could simply skip encryption altogether because AES-CTR with a fixed IV offers no security whatsoever.

[ronovar]

Thanks i rewrite minor changes of my above functions and use aes-128-cbc algorithm and fixed IV value and now encrypting and decrypting works....now i have another problem that i can't figure out...in previus release of node v7.1.0 i was successfully using REST API---after upgrade to Node v8.9.0 i get error 404 not found and when calling api:

http://192.168.1.5:8080/api/server_status i get this:

Cannot GET /api/server_status

So question is if Node v8.9.0 changed some mechanism of using previus code of REST API? In previus node same REST API code works.

this is my short code of using REST API and express framework:

var express = require('express'),
panel = express(),
stream = express(),
apiRoutes = express.Router();

panel.use('/api', apiRoutes);

apiRoutes.post('/server_status', function(req, res) {
console.log('Hello from server_status...');
res.end();
})

panel.listen('8080');

[bnoordhuis]

CBC is a step up but be aware it's vulnerable to padding attacks if not used properly.

[ronovar]

Ok i im aware....for more secure algorithm i need to study cryptography and i will do this later..for now is important that secret data is encrypted and safe...

Do you have any idea what would be a problem that my REST API routes does not work? If i go back to Node v7.1.0 it works and on v8.9.0 it does not..could you make on your node server side small demo of REST API and see if it working by you? I think something changed in node v8.9.0 and REST API must be used different?