Nodejs createCipher vs createCipheriv

Question

Nodejs createCipher vs createCipheriv

I'm currently trying to encrypt data at rest using NodeJS, I read in Node API docs that createCipher not recommended .

The crypto.createCipher () implementation derives keys using the OpenSSL EVP_BytesToKey Function with the digest algorithm set in MD5, one iteration and salt. Lack of salt allows you to use dictionary attacks because the same password always creates the same key. A low iteration counter and a non-cryptographically secure hashing algorithm allow passwords to be tested very quickly.
As recommended by OpenSSL, using pbkdf2 instead of EVP_BytesToKey, it is recommended that developers get the key and IV themselves using crypto.pbkdf2 () and use crypto.createCipheriv () to create the Cipher object.

Is createCipher still a viable and secure way to encrypt data at rest? Should this method be considered obsolete? Is it possible for an informed attacker to potentially decrypt the data?

Should a solution using createCipheriv always be preferable to createCipher ?

Any other details or recommendations are appreciated.

+5

security algorithm node.js openssl encryption

andrsnn May 17, '17 at 17:29

source share

1 answer

IvanM · Answer 1 · 2017-09-26T19:30:46+0000

createCipheriv / createDecipheriv is of course a preferable usage example:

const crypto = require('crypto') function encrypt(text){ var cipher = crypto.createCipheriv('aes-256-cbc', new Buffer('passwordpasswordpasswordpassword'), new Buffer('vectorvector1234')) var crypted = cipher.update(text, 'utf8', 'hex') crypted += cipher.final('hex') return crypted } function decrypt(text){ var decipher = crypto.createDecipheriv('aes-256-cbc', new Buffer('passwordpasswordpasswordpassword'), new Buffer('vectorvector1234')) var dec = decipher.update(text, 'hex', 'utf8') dec += decipher.final('utf8') return dec }

Nodejs createCipher vs createCipheriv

More articles: