crypto.createCipher(algorithm, password[, options])
crypto.createCipheriv()
。algorithm
<string>password
<string> | <ArrayBuffer> | <Buffer> | <TypedArray> | <DataView>options
<Object>stream.transform
选项- 返回: <Cipher>
创建并返回使用给定 algorithm
和 password
的 Cipher
对象。
options
参数控制流行为并且是可选的,除非使用 CCM 或 OCB 模式(例如 'aes-128-ccm'
)的密码。
在这种情况下,需要 authTagLength
选项并指定身份验证标签的长度(以字节为单位),请参阅 CCM 模式。
在 GCM 模式下,authTagLength
选项不是必需的,但可用于设置 getAuthTag()
将返回的身份验证标签的长度,默认为 16 字节。
对于 chacha20-poly1305
,authTagLength
选项默认为 16 字节。
algorithm
依赖于 OpenSSL,例如 'aes192'
等。
在最近的 OpenSSL 版本中,openssl list -cipher-algorithms
将显示可用的密码算法。
password
用于派生密钥和初始化向量 (IV)。
该值必须是 'latin1'
编码的字符串、Buffer
、TypedArray
或 DataView
。
这个函数在语义上对于所有支持的密码都是不安全的,并且对于计数器模式(例如 CTR、GCM 或 CCM)的密码有致命的缺陷。
crypto.createCipher()
的实现使用 OpenSSL 函数 EVP_BytesToKey
派生密钥,摘要算法设置为 MD5,一次迭代,不加盐。
缺少盐允许字典攻击,因为相同的密码总是创建相同的密钥。
低迭代次数和非加密安全散列算法允许非常快速地测试密码。
根据 OpenSSL 建议使用更现代的算法而不是 EVP_BytesToKey
,建议开发人员使用 crypto.scrypt()
自行派生密钥和 IV,并使用 crypto.createCipheriv()
创建 Cipher
对象。
用户不应在 crypto.createCipher()
中使用计数器模式(例如 CTR、GCM 或 CCM)的密码。
使用它们时会发出警告,以避免导致漏洞的 IV 重用风险。
对于在 GCM 中重用 IV 的情况,请参阅 Nonce-Disrespecting Adversaries 以获取详细信息。
crypto.createCipheriv()
instead.algorithm
<string>password
<string> | <ArrayBuffer> | <Buffer> | <TypedArray> | <DataView>options
<Object>stream.transform
options- Returns: <Cipher>
Creates and returns a Cipher
object that uses the given algorithm
and
password
.
The options
argument controls stream behavior and is optional except when a
cipher in CCM or OCB mode (e.g. 'aes-128-ccm'
) is used. In that case, the
authTagLength
option is required and specifies the length of the
authentication tag in bytes, see CCM mode. In GCM mode, the authTagLength
option is not required but can be used to set the length of the authentication
tag that will be returned by getAuthTag()
and defaults to 16 bytes.
For chacha20-poly1305
, the authTagLength
option defaults to 16 bytes.
The algorithm
is dependent on OpenSSL, examples are 'aes192'
, etc. On
recent OpenSSL releases, openssl list -cipher-algorithms
will
display the available cipher algorithms.
The password
is used to derive the cipher key and initialization vector (IV).
The value must be either a 'latin1'
encoded string, a Buffer
, a
TypedArray
, or a DataView
.
This function is semantically insecure for all supported ciphers and fatally flawed for ciphers in counter mode (such as CTR, GCM, or CCM).
The implementation of crypto.createCipher()
derives keys using the OpenSSL
function EVP_BytesToKey
with the digest algorithm set to MD5, one
iteration, and no salt. The lack of salt allows dictionary attacks as the same
password always creates the same key. The low iteration count and
non-cryptographically secure hash algorithm allow passwords to be tested very
rapidly.
In line with OpenSSL's recommendation to use a more modern algorithm instead of
EVP_BytesToKey
it is recommended that developers derive a key and IV on
their own using crypto.scrypt()
and to use crypto.createCipheriv()
to create the Cipher
object. Users should not use ciphers with counter mode
(e.g. CTR, GCM, or CCM) in crypto.createCipher()
. A warning is emitted when
they are used in order to avoid the risk of IV reuse that causes
vulnerabilities. For the case when IV is reused in GCM, see Nonce-Disrespecting
Adversaries for details.