Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use cipheriv instead of plain cipher #17

Closed
wheresvic opened this issue Aug 23, 2018 · 3 comments · Fixed by #21
Closed

Use cipheriv instead of plain cipher #17

wheresvic opened this issue Aug 23, 2018 · 3 comments · Fixed by #21
Assignees
@wheresvic
Labels
enhancement

Comments

@wheresvic
Copy link
Owner

wheresvic commented Aug 23, 2018
edited
Loading

https://medium.com/@fhbro/crib-dragging-plain-text-attack-5a61a0bcd80d

https://stackoverflow.com/questions/25427935/node-js-create-initialization-vector-iv-from-random-source#29777716

Note that this will be a major change, as this changes the way the encrypted fields are stored. Also don't break backwards compatibility, i.e. use the regular cipher when no iv available...
@wheresvic wheresvic self-assigned this Aug 23, 2018
@vinczedani vinczedani mentioned this issue Sep 7, 2018
Merged
@vinczedani
Copy link
Contributor

I see you want to use regular cipher when no iv is available, but both functions were added in v0.1.94

@wheresvic
Copy link
Owner Author

I think you misunderstood me or maybe I am not understanding you correctly but what I meant was that we should allow an existing db that has been using the older algorithm to be able to upgrade and not break the db.

This can be done as a check in the decrypt function when no salt is available switch to the older algo. This might leave the db in an inconsistent state however and to mitigate that risk, I have introduced an optional flag useAes256Ctr which will use the older algorithm to maintain backwards compatibility.

@vinczedani
Copy link
Contributor

Oh I see your point, you are right

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wheresvic wheresvic

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Feature/cipheriv vinczedani/mongoose-field-encryption
2 participants
@wheresvic @vinczedani