Encryption with “constant” initialization vector considered harmful

[jcalfee]

Looks like your using a CBC (aes-128-cbc), so this should apply to you:

https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Initialization_vector_.28IV.29

An initialization vector has different security requirements than a key, so the IV usually does not need to be secret. However, in most cases, it is important that an initialization vector is never reused under the same key. For CBC and CFB, reusing an IV leaks some information about the first block of plaintext, and about any common prefix shared by the two messages.

Sounds like you can simply prefix your encrypted data with a unique nonce (like Date.now() + random_value). The random_value is a value in RAM used to keep the none unique in a cluster of nodes. Sha256 hash the nonce to get the IV value.

[jcalfee]

Reference: https://github.com/koa-modules/koa-crypto-session/blob/35a9e826d550d69b7465c68dbd4d4fdb22102fc8/index.js#L14

[jcalfee]

If you're interested, I created a branch that is close to being a pull request. It is a breaking change and I'm not sure how you want to handle that.

https://github.com/steemit/koa-crypto-session/tree/koa-crypto-session-pull-request

[haoxins]

SGTM, PR welcome