From c52d15cd5a4589238cb08132b4e737b0a6a4e7d9 Mon Sep 17 00:00:00 2001 From: Luke Childs Date: Mon, 30 Apr 2018 16:33:45 +0700 Subject: [PATCH] Improve encryption implementation Existing encryption used an insufficient key strengh and had no authnetication. We now derive the key from 300,000 rounds of PBKDF2, encrypt with AES-CBC and authenticate data integrity with a SHA-256 HMAC. --- package.json | 2 +- routes/encryption.js | 11 +++++++++++ routes/shepherd.js | 1 - routes/shepherd/pin.js | 27 ++++++++++++--------------- 4 files changed, 24 insertions(+), 17 deletions(-) create mode 100644 routes/encryption.js diff --git a/package.json b/package.json index 23bbbd0..63357e2 100644 --- a/package.json +++ b/package.json @@ -46,10 +46,10 @@ "fix-path": "^2.1.0", "fs-extra": "^4.0.2", "graceful-fs": "^4.1.11", + "iocane": "^1.0.0", "js-sha256": "^0.7.1", "lz-string": "^1.4.4", "marketmaker": "git://github.com/pbca26/marketmaker", - "nodejs-aes256": "^1.0.1", "passwd-strength": "git+https://github.com/pbca26/passwd-strength.git", "portscanner": "^2.1.1", "ps-node": "^0.1.5", diff --git a/routes/encryption.js b/routes/encryption.js new file mode 100644 index 0000000..3854f03 --- /dev/null +++ b/routes/encryption.js @@ -0,0 +1,11 @@ +'use strict'; +const {createSession} = require('iocane'); + +const session = createSession() + .use('cbc') + .setDerivationRounds(300000); + +module.exports = { + encrypt: session.encrypt.bind(session), + decrypt: session.decrypt.bind(session), +}; diff --git a/routes/shepherd.js b/routes/shepherd.js index c3e8b07..c13049f 100644 --- a/routes/shepherd.js +++ b/routes/shepherd.js @@ -11,7 +11,6 @@ shepherd._fs = require('graceful-fs'); shepherd.md5 = require('./md5.js'); shepherd.request = require('request'); shepherd.portscanner = require('portscanner'); -shepherd.aes256 = require('nodejs-aes256'); shepherd.AdmZip = require('adm-zip'); shepherd.remoteFileSize = require('remote-file-size'); shepherd.Promise = require('bluebird'); diff --git a/routes/shepherd/pin.js b/routes/shepherd/pin.js index 824bb32..20a10c1 100644 --- a/routes/shepherd/pin.js +++ b/routes/shepherd/pin.js @@ -1,5 +1,5 @@ const fs = require('fs-extra'); -const aes256 = require('nodejs-aes256'); +const {encrypt, decrypt} = require('./../encryption'); const passwdStrength = require('passwd-strength'); const bitcoin = require('bitcoinjs-lib'); const sha256 = require('js-sha256'); @@ -10,7 +10,7 @@ module.exports = (shepherd) => { * type: POST * params: none */ - shepherd.post('/encryptkey', (req, res, next) => { + shepherd.post('/encryptkey', async (req, res, next) => { if (shepherd.checkToken(req.body.token)) { if (req.body.key && req.body.string) { @@ -42,7 +42,7 @@ module.exports = (shepherd) => { const _customPinFilenameTest = /^[0-9a-zA-Z-_]+$/g; if (_customPinFilenameTest.test(pubkey)) { - const encryptedString = aes256.encrypt(req.body.key, req.body.string); + const encryptedString = await encrypt(req.body.string, req.body.key); fs.writeFile(`${shepherd.agamaDir}/shepherd/pin/${pubkey}.pin`, encryptedString, (err) => { if (err) { @@ -107,7 +107,7 @@ module.exports = (shepherd) => { if (req.body.key && req.body.pubkey) { if (fs.existsSync(`${shepherd.agamaDir}/shepherd/pin/${req.body.pubkey}.pin`)) { - fs.readFile(`${shepherd.agamaDir}/shepherd/pin/${req.body.pubkey}.pin`, 'utf8', (err, data) => { + fs.readFile(`${shepherd.agamaDir}/shepherd/pin/${req.body.pubkey}.pin`, 'utf8', async (err, data) => { if (err) { const errorObj = { msg: 'error', @@ -116,21 +116,18 @@ module.exports = (shepherd) => { res.end(JSON.stringify(errorObj)); } else { - const encryptedKey = aes256.decrypt(req.body.key, data); - // test if stored encrypted passphrase is decrypted correctly - // if not then the key is wrong - const _regexTest = encryptedKey.match(/^[0-9a-zA-Z ]+$/g); - let returnObj; - if (!_regexTest) { + let returnObj; + try { + const decryptedKey = await decrypt(data, req.body.key); returnObj = { - msg: 'error', - result: 'wrong key', + msg: 'success', + result: decryptedKey, }; - } else { + } catch (error) { returnObj = { - msg: 'success', - result: encryptedKey, + msg: 'error', + result: 'wrong key', }; }