How to use AES-256-GCM encryption with MessagePack in Node
I've been working to solve a Sonarcube vulnerability in one of my projects to use a more secure encryption algorithm. In addition to adhering to current standards, I also wanted to make use of MessagePack in order that the data I was encrypting used as minimal space as necessary on disk. Below you will find code how to encrypt and minify text in Javascript.
const msgpack = require("@msgpack/msgpack");
const crypto = require("crypto");
const encoder = new msgpack.Encoder();
const decoder = new msgpack.Decoder();
const password = "pw"; // should be a secure and complex value;
const algorithm = "aes-256-gcm";
const hash = "sha512";
const iterations = 2145;
const keyLen = 32;
const ivLen = 12; // https://gist.github.com/rjz/15baffeab434b8125ca4d783f4116d81?permalink_comment_id=3725558#gistcomment-3725558
const saltLen = 32;
// Create random values
const iv = crypto.randomBytes(24).toString("hex").slice(0, ivLen);
const salt = crypto.randomBytes(64).toString("hex").slice(0, saltLen);
// MINIFY/ENCRYPT PROCESS
// ----------------------
// minify
let encoded = encoder.encode({}); // we are encrypting a Javascript object
let buffer = Buffer.from(encoded, 0, encoded.length);
// encrypt
const ivBuffer = Buffer.from(iv, "utf8");
const saltBuffer = Buffer.from(salt, "utf8");
const key = crypto.pbkdf2Sync(password, saltBuffer, iterations, keyLen, hash); // recommended to use as crypto.randomBytes is not secure
const cipher = crypto.createCipheriv(algorithm, key, ivBuffer);
const encrypted = Buffer.concat([cipher.update(buffer), cipher.final()]);
const tag = cipher.getAuthTag();
let encryptedBuffer = Buffer.concat([saltBuffer, ivBuffer, tag, encrypted]);
let output = encryptedBuffer.toString("base64");
// DECRYPT/UN-MINIFY PROCESS
// ----------------------
// decrypt
let buffer2 = Buffer.from(output, "base64"); // this is here because we want to simulate pulling the content from a file
const copiedBuf = Uint8Array.prototype.slice.call(buffer2); // To not modify the existing buffer
const salt2 = copiedBuf.slice(0, saltLen); // 0, 32
const iv2 = copiedBuf.slice(saltLen, saltLen + ivLen); // 32, 44
const tag2 = copiedBuf.slice(saltLen + ivLen, saltLen + ivLen + 16); // 44, 60; tag is 16 bytes long
const encrypted2 = copiedBuf.slice(saltLen + ivLen + 16); // 60
const key2 = crypto.pbkdf2Sync(password, salt2, iterations, keyLen, hash);
const decipher = crypto.createDecipheriv(algorithm, key2, iv2);
decipher.setAuthTag(tag2);
const decrypted = Buffer.concat([decipher.update(encrypted2), decipher.final()]);
// un minify
console.log(decoder.decode(decrypted));
Encrypting and decrypting text in Javascript with AES-256-GCM and MessagePack