How do I replace deprecated crypto.createCipher in Node.js?

Question

I am using following functions to encrypt/decrypt strings in Node.js:

var crypto = require('crypto');
var algorithm = 'aes-256-ctr';
function encrypt(text) {
    var cipher = crypto.createCipher(algorithm, password);
    try {
        var crypted = cipher.update(text, 'utf8', 'hex');
        crypted += cipher.final('hex');
    } catch (e) {
        return;
    }
    return crypted;
}

function decrypt(text) {
    var decipher = crypto.createDecipher(algorithm, password);
    try {
        var dec = decipher.update(text, 'hex', 'utf8');
        dec += decipher.final('utf8');
    } catch (e) {
        return;
    }
    return dec;
}

(password is stored separately from encoded text). New version of nodejs/crypt package complains:

(node:5212) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.

How do I rewrite this to upgrade my source code?

Zeeshan Hassan Memon · Accepted Answer · 2020-02-24T10:10:05.753

So lets say it like:

Replace deprecated crypto.createDecipher usage with crypto.createDecipheriv

why? because:

according to the deprecation docs it was due to security concerns.

Using crypto.createCipher() and crypto.createDecipher() should be avoided as they use a weak key derivation function (MD5 with no salt) and static initialization vectors. It is recommended to derive a key using crypto.pbkdf2() or crypto.scrypt() and to use crypto.createCipheriv() and crypto.createDecipheriv() to obtain the Cipher and Decipher objects respectively.

Link to the above reference: Click Here

Someone also said:

As per crypto_crypto_createdecipher_algorithm_password_options, one now need to switch to crypto.createDecipheriv.

Sample Code:

const crypto = require('crypto');
const algorithm = 'aes-256-ctr';
const ENCRYPTION_KEY = 'Put_Your_Password_Here'; // or generate sample key Buffer.from('FoCKvdLslUuB4y3EZlKate7XGottHski1LmyqJHvUhs=', 'base64');
const IV_LENGTH = 16;

function encrypt(text) {
    let iv = crypto.randomBytes(IV_LENGTH);
    let cipher = crypto.createCipheriv(algorithm, Buffer.from(ENCRYPTION_KEY, 'hex'), iv);
    let encrypted = cipher.update(text);
    encrypted = Buffer.concat([encrypted, cipher.final()]);
    return iv.toString('hex') + ':' + encrypted.toString('hex');
}

function decrypt(text) {
    let textParts = text.split(':');
    let iv = Buffer.from(textParts.shift(), 'hex');
    let encryptedText = Buffer.from(textParts.join(':'), 'hex');
    let decipher = crypto.createDecipheriv(algorithm, Buffer.from(ENCRYPTION_KEY, 'hex'), iv);
    let decrypted = decipher.update(encryptedText);
    decrypted = Buffer.concat([decrypted, decipher.final()]);
    return decrypted.toString();
}

For complete running example clone node-cheat and run node crypto-create-cipheriv.js.

alright, see the updated answer now it has both code and node-cheat link. @StepanYakovenko — Zeeshan Hassan Memon, Feb 24 '20 at 10:11
It will fire error (node:28641) UnhandledPromiseRejectionWarning: Error: Invalid key length — Codebrekers, Jun 29 '20 at 10:55
@Codebrekers that means you're not providing the correct ENCRYPTION_KEY. Please read this line carefully to make it work: https://github.com/zishon89us/node-cheat/blob/master/stackoverflow_answers/crypto-create-cipheriv.js#L9 — Zeeshan Hassan Memon, Jun 29 '20 at 13:21
@Codebrekers The problem is that the key needs to be 32 bytes long. To achieve this (pad or shrink to 32 bytes regardless of the size of ENCRYPTION_KEY) you can use `Buffer.concat([Buffer.from(ENCRYPTION_KEY), Buffer.alloc(32)], 32)` as second argument to `createCipheriv()` and `createDecipheriv()` — Thalis K., Jul 15 '20 at 11:46
You can use `scrypt(secret, salt, 24, (err, key) => { // cipher/decipher here }) ` to ensure you have a key that is of the correct length for your algorithm. E.g. aes192 = 24 bytes (192 bits). You should use a unique salt if possible. — Learner, May 01 '21 at 02:38

score 2 · Answer 2 · answered Mar 24 '22 at 06:41

createDecipheriv is now Deprecated. Stability: 0 - Deprecated: Use crypto.createCipheriv() instead. One can easily replace it with createCipheriv

const crypto = require('crypto');
const ENC= 'bf3c199c2470cb477d907b1e0917c17b';
const IV = "5183666c72eec9e4";
const ALGO = "aes-256-cbc"

const encrypt = ((text) => 
{
   let cipher = crypto.createCipheriv(ALGO, ENC, IV);
   let encrypted = cipher.update(text, 'utf8', 'base64');
   encrypted += cipher.final('base64');
   return encrypted;
});

const decrypt = ((text) => 
{
   let decipher = crypto.createDecipheriv(ALGO, ENC, IV);
   let decrypted = decipher.update(text, 'base64', 'utf8');
   return (decrypted + decipher.final('utf8'));
});

const encrypted_key = encrypt("HelloWorld");
const decrypted_key = decrypt(encrypted_key);

Have you checked replacing the algorithm with const ALGO = "aes-256-ctr". For me it is working for both ctr and cbc — Jyotirmoy Upadhaya, Mar 25 '22 at 08:48

How do I replace deprecated crypto.createCipher in Node.js?

2 Answers2

Linked

Related