We are using Node module Crypto and Express to supply some query string and form name obfuscation.
'use strict';
var algorithm = 'aes-256-ctr'
, crypto = require('crypto')
;
var enc = function(string, key){
var cipher = crypto.createCipher(algorithm, key);
var buff = Buffer.from(string, 'utf8');
return Buffer.concat([cipher.update(buff), cipher.final()]).toString('hex').toUpperCase();
};
var dec = function(string, key){
var decipher = crypto.createDecipher(algorithm, key);
var buff = Buffer.from(string, 'hex');
return Buffer.concat([decipher.update(buff), decipher.final()]).toString('utf8');
};
The key used will most likely be a random session GUID, so the query strings would only be good for as long as that session is valid.
Problem I see is that if a session GUID is different than what encoded the string, the function will still decrypt the hex string, but the result will be invalid.
Is there an regex string (to detect if any non valid characters were returned in the string) or some other way to determine if a different key was used to decode the string other than its original key?
I will be creating an express middleware soon that will look at each incoming req and determine if the req.query or req.form needs to be deciphered or not and try to determine if the query string was deciphered correctly.
via shaun
No comments:
Post a Comment