Nodejs createCipher vs createCipheriv

0 投票
最新提问 用户: (160 分)

I am currently trying to encrypt data at rest with NodeJS, I have read in the Node API docs that createCipher is not recommended.

The implementation of crypto.createCipher() derives keys using the OpenSSL function EVP_BytesToKey with the digest algorithm set to MD5, one iteration, and no salt. The lack of salt allows dictionary attacks as the same password always creates the same key. The low iteration count and non-cryptographically secure hash algorithm allow passwords to be tested very rapidly.

In line with OpenSSL's recommendation to use pbkdf2 instead of EVP_BytesToKey it is recommended that developers derive a key and IV on their own using crypto.pbkdf2() and to use crypto.createCipheriv() to create the Cipher object.

Is createCipher still a viable and secure way to encrypt data at rest? Should this method be considered deprecated? Is it feasible for a well informed attacker to potentially decrypt data?

Should a solution using createCipheriv always be preferred over createCipher?

Any other details or recommendations appreciated.

登录 或者 注册 后回答这个问题。

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。