encryption/decryption #14
Comments
node.js will derive the IV from the password, but it's not as secure. You should have both sides handshake to exchange an IV to use, but I don't think this is feasible with cookies, so it probably just has to be left out. Basically if you leave it out, the same cleartext always encrypts to the same ciphertext. But of course if you let the user set it and it just stays the same, that doesn't do anything, because the cleartext will still be the same for the same ciphertext. |
|
Nonces in the cookie can help mix up the cyphertext.
|
Make sure the nonce is at the start of the cleartext if you do this, since changes cascade from start to end :) |
|
okay updated it with optional @dougwilson your code coverage magic would be appreciated :) |
|
What's the reasoning behind removing the encoding option? Just wondering, not sure if it actually mattered now. |
Sure, can do :) |
The output from this should be opaque to the user; allowing them to say if they want it in hex or base64 is weird; they should just treat it as an opaque string i.m.o. |
|
Fair enough. |
|
Actually, @Fishrock123 re-looking at the new docs, it looks like we're just returning |
|
yeah trying to make this a more generic crypto library. also, encoding is a hassle when you've got a bunch of other stuff to deal with. |
|
@jonathanong I have some questions about this library's interface when you have some time; specifically regarding encodings. |
|
What is holding this back? |
There are a couple encoding issues I still need to fix (non-Latin1 chars are not stored correctly and can thus become corrupted, or unreadable by other languages), some cleanups, and documentation work. Also @TiXz since you seem interested, if you want, you can start trying it out with |
|
Done! I was doing essentially what Keygrip does in a private repo, but without hiding keys in a closure and without hardening agains timing attacks. Therefore I already knew the cause of the bug ☀️ |
|
Wow, @TiXz you really stepped up there, I was not expecting that, that was awesome! 🌴 |
|
Ok, PR has been merged and I'm in the process of clean up and prep for pushing a 2.0.0. |
|
@dougwilson anything i can help with? |
|
Let's revive this ;-) After implementing this feature in expressjs/cookie-session#141, what is missing for this feature to land in master? |
|
@dougwilson what is holding this back? |
i have an initial implementation here: 427f188
Some notes/questions/etc.
.cipher =to something else so we can do.cipher(message)and.decipher(message)..hash_algorithm=and.cipher_algorithm=?without any feedback i'm going to just chug along
/cc @expressjs/owners
The text was updated successfully, but these errors were encountered: