Commits on Sep 6, 2022

1. doc: emphasize that createCipher is never secure …

   The current documentation clearly states that createCipher() and
   createDecipher() should not be used with ciphers in counter mode, but
   (1) this is an understatement, and (2) these functions are
   (semantically) insecure for ciphers in any other supported block cipher
   mode as well.
   
   Semantic security requires IND-CPA, but a deterministic cipher with
   fixed key and IV, such as those generated by these functions, does not
   fulfill IND-CPA.
   
   Are there justified use cases for createCipher() and createDecipher()?
   Yes and no. The only case in which these functions can be used in a
   semantically secure manner arises only when the password argument is
   not actually a password but rather a random or pseudo-random sequence
   that is unpredictable and that is never reused (e.g., securely derived
   from a password with a proper salt). Insofar, it is possible to use
   these APIs without immediately creating a vulnerability. However,
   
   - any application that manages to fulfill this requirement should also
     be able to fulfill the similar requirements of crypto.createCipheriv()
     and those of crypto.createDecipheriv(), which give much more control
     over key and initialization vector, and
   - the MD5-based key derivation step generally does not help and might
     even reduce the overall security due to its many weaknesses.
   
   Refs: nodejs#13821
   Refs: nodejs#19343
   Refs: nodejs#22089

   

   tniessen committed Sep 6, 2022
   Copy the full SHA

   8848f7c View commit details

   Browse the repository at this point in the history