vinczedani
commented
6 years ago I see you want to use regular cipher when no iv is available, but both functions were added in v0.1.94
Closed wheresvic closed 6 years ago
vinczedani
commented
6 years ago I see you want to use regular cipher when no iv is available, but both functions were added in v0.1.94
wheresvic
commented
6 years ago I think you misunderstood me or maybe I am not understanding you correctly but what I meant was that we should allow an existing db that has been using the older algorithm to be able to upgrade and not break the db.
This can be done as a check in the decrypt function when no salt is available switch to the older algo. This might leave the db in an inconsistent state however and to mitigate that risk, I have introduced an optional flag useAes256Ctr which will use the older algorithm to maintain backwards compatibility.
vinczedani
commented
6 years ago Oh I see your point, you are right
https://medium.com/@fhbro/crib-dragging-plain-text-attack-5a61a0bcd80d
https://stackoverflow.com/questions/25427935/node-js-create-initialization-vector-iv-from-random-source#29777716
Note that this will be a major change, as this changes the way the encrypted fields are stored. Also don't break backwards compatibility, i.e. use the regular cipher when no iv available...