crypto.createCipher(algorithm, password[, options])

版本历史
版本变更
v17.9.0

The authTagLength option is now optional when using the chacha20-poly1305 cipher and defaults to 16 bytes.

v15.0.0

The password argument can be an ArrayBuffer and is limited to a maximum of 2 ** 31 - 1 bytes.

v10.10.0

Ciphers in OCB mode are now supported.

v10.2.0

The authTagLength option can now be used to produce shorter authentication tags in GCM mode and defaults to 16 bytes.

v10.0.0

弃用于: v10.0.0

v0.1.94

新增于: v0.1.94

稳定性: 0 - 弃用:请改用 crypto.createCipheriv()

创建并返回一个使用给定 algorithmpasswordCipher 对象。

【Creates and returns a Cipher object that uses the given algorithm and password.】

options 参数控制流的行为,通常是可选的,除非使用 CCM 或 OCB 模式的加密算法(例如 'aes-128-ccm')。在这种情况下,authTagLength 选项是必需的,用于指定认证标签的字节长度,详见 CCM 模式。在 GCM 模式下,authTagLength 选项不是必需的,但可以用来设置 getAuthTag() 返回的认证标签长度,默认值为 16 字节。对于 chacha20-poly1305authTagLength 选项默认为 16 字节。

【The options argument controls stream behavior and is optional except when a cipher in CCM or OCB mode (e.g. 'aes-128-ccm') is used. In that case, the authTagLength option is required and specifies the length of the authentication tag in bytes, see CCM mode. In GCM mode, the authTagLength option is not required but can be used to set the length of the authentication tag that will be returned by getAuthTag() and defaults to 16 bytes. For chacha20-poly1305, the authTagLength option defaults to 16 bytes.】

algorithm 依赖于 OpenSSL,例如 'aes192' 等。在最新的 OpenSSL 版本中,运行 openssl list -cipher-algorithms 将显示可用的加密算法。

【The algorithm is dependent on OpenSSL, examples are 'aes192', etc. On recent OpenSSL releases, openssl list -cipher-algorithms will display the available cipher algorithms.】

password 用于派生密码密钥和初始化向量(IV)。 该值必须是 'latin1' 编码的字符串、BufferTypedArrayDataView

【The password is used to derive the cipher key and initialization vector (IV). The value must be either a 'latin1' encoded string, a Buffer, a TypedArray, or a DataView.】

此功能在所有支持的密码算法中语义上不安全,对于计数器模式(如 CTR、GCM 或 CCM)的密码算法存在致命缺陷。

crypto.createCipher() 的实现是通过 OpenSSL 函数 EVP_BytesToKey 派生密钥,使用的摘要算法为 MD5,迭代次数为一次,且没有使用盐值。缺少盐值会导致字典攻击,因为相同的密码总是生成相同的密钥。低迭代次数和非加密安全的哈希算法使密码可以被非常快速地测试。

【The implementation of crypto.createCipher() derives keys using the OpenSSL function EVP_BytesToKey with the digest algorithm set to MD5, one iteration, and no salt. The lack of salt allows dictionary attacks as the same password always creates the same key. The low iteration count and non-cryptographically secure hash algorithm allow passwords to be tested very rapidly.】

根据 OpenSSL 的建议,开发者应使用更现代的算法替代 EVP_BytesToKey,建议开发者使用 crypto.scrypt() 自行派生密钥和 IV,并使用 crypto.createCipheriv() 创建 Cipher 对象。用户不应在 crypto.createCipher() 中使用计数器模式的加密算法(如 CTR、GCM 或 CCM)。当使用这些模式时,会发出警告,以避免 IV 重用带来的漏洞风险。关于 GCM 中 IV 重用的情况,请参见 一次性不尊重的对手 获取详细信息。

【In line with OpenSSL's recommendation to use a more modern algorithm instead of EVP_BytesToKey it is recommended that developers derive a key and IV on their own using crypto.scrypt() and to use crypto.createCipheriv() to create the Cipher object. Users should not use ciphers with counter mode (e.g. CTR, GCM, or CCM) in crypto.createCipher(). A warning is emitted when they are used in order to avoid the risk of IV reuse that causes vulnerabilities. For the case when IV is reused in GCM, see Nonce-Disrespecting Adversaries for details.】