Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nodejs/node.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--doc/api/crypto.md8
-rw-r--r--doc/api/deprecations.md4
2 files changed, 10 insertions, 2 deletions
diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index dc581cbd82b..66fb2f207bd 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -3013,6 +3013,10 @@ The `password` is used to derive the cipher key and initialization vector (IV).
The value must be either a `'latin1'` encoded string, a [`Buffer`][], a
`TypedArray`, or a `DataView`.
+<strong class="critical">This function is semantically insecure for all
+supported ciphers and fatally flawed for ciphers in counter mode (such as CTR,
+GCM, or CCM).</strong>
+
The implementation of `crypto.createCipher()` derives keys using the OpenSSL
function [`EVP_BytesToKey`][] with the digest algorithm set to MD5, one
iteration, and no salt. The lack of salt allows dictionary attacks as the same
@@ -3136,6 +3140,10 @@ cipher in CCM or OCB mode (e.g. `'aes-128-ccm'`) is used. In that case, the
authentication tag in bytes, see [CCM mode][].
For `chacha20-poly1305`, the `authTagLength` option defaults to 16 bytes.
+<strong class="critical">This function is semantically insecure for all
+supported ciphers and fatally flawed for ciphers in counter mode (such as CTR,
+GCM, or CCM).</strong>
+
The implementation of `crypto.createDecipher()` derives keys using the OpenSSL
function [`EVP_BytesToKey`][] with the digest algorithm set to MD5, one
iteration, and no salt. The lack of salt allows dictionary attacks as the same
diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md
index 7cfe0c01ee0..d3f3eac9cef 100644
--- a/doc/api/deprecations.md
+++ b/doc/api/deprecations.md
@@ -2114,10 +2114,10 @@ changes:
Type: Runtime
-Using [`crypto.createCipher()`][] and [`crypto.createDecipher()`][] should be
+Using [`crypto.createCipher()`][] and [`crypto.createDecipher()`][] must be
avoided as they use a weak key derivation function (MD5 with no salt) and static
initialization vectors. It is recommended to derive a key using
-[`crypto.pbkdf2()`][] or [`crypto.scrypt()`][] and to use
+[`crypto.pbkdf2()`][] or [`crypto.scrypt()`][] with random salts and to use
[`crypto.createCipheriv()`][] and [`crypto.createDecipheriv()`][] to obtain the
[`Cipher`][] and [`Decipher`][] objects respectively.
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-21 23:51:22 +0300