diff options
| author | Shigeki Ohtsu <ohtsu@ohtsu.org> | 2017-06-20 17:44:53 +0300 |
|---|---|---|
| committer | Myles Borins <mylesborins@google.com> | 2017-09-12 04:18:37 +0300 |
| commit | 41bf40e209d0a8575e52205d95b2fe45164ddb0c (patch) | |
| tree | 36ae7c58612d017de09feee53f10bcad45e420f5 /doc/api/crypto.md | |
| parent | 02260eab9858f4c49b0523d99cb7878900b685a6 (diff) | |
crypto: warn if counter mode used in createCipher
`crypto.createCipher()` sets the fixed IV derived from password and it
leads to a security risk of nonce reuse when counter mode is used.
A warning is emitted when CTR, GCM or CCM is used in
`crypto.createCipher()` to notify users to avoid nonce reuse.
Fixes: https://github.com/nodejs/node/issues/13801
PR-URL: https://github.com/nodejs/node/pull/13821
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Diffstat (limited to 'doc/api/crypto.md')
| -rw-r--r-- | doc/api/crypto.md | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/doc/api/crypto.md b/doc/api/crypto.md index 52c7ebe71cf..08d14e96975 100644 --- a/doc/api/crypto.md +++ b/doc/api/crypto.md @@ -1201,7 +1201,11 @@ rapidly. In line with OpenSSL's recommendation to use pbkdf2 instead of [`EVP_BytesToKey`][] it is recommended that developers derive a key and IV on their own using [`crypto.pbkdf2()`][] and to use [`crypto.createCipheriv()`][] -to create the `Cipher` object. +to create the `Cipher` object. Users should not use ciphers with counter mode +(e.g. CTR, GCM or CCM) in `crypto.createCipher()`. A warning is emitted when +they are used in order to avoid the risk of IV reuse that causes +vulnerabilities. For the case when IV is reused in GCM, see [Nonce-Disrespecting +Adversaries][] for details. ### crypto.createCipheriv(algorithm, key, iv[, options]) - `algorithm` {string} @@ -2271,6 +2275,7 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL. [HTML5's `keygen` element]: http://www.w3.org/TR/html5/forms.html#the-keygen-element [NIST SP 800-131A]: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf [NIST SP 800-132]: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf +[Nonce-Disrespecting Adversaries]: https://github.com/nonce-disrespect/nonce-disrespect [OpenSSL's SPKAC implementation]: https://www.openssl.org/docs/man1.0.2/apps/spkac.html [RFC 2412]: https://www.rfc-editor.org/rfc/rfc2412.txt [RFC 3526]: https://www.rfc-editor.org/rfc/rfc3526.txt |