Update encryption to aes-128-gcm

LiskArchive · Jul 31, 2023 · 469353a · 469353a
1 parent fc4e20e
commit 469353a
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 30 deletions.
diff --git a/elements/lisk-cryptography/src/encrypt.ts b/elements/lisk-cryptography/src/encrypt.ts
@@ -49,7 +49,7 @@ const getKeyFromPasswordWithArgon2 = async (options: {
 	);
 
 export enum Cipher {
-	AES256GCM = 'aes-256-gcm',
+	AES256GCM = 'aes-128-gcm',
 }
 
 export enum KDF {
@@ -75,7 +75,7 @@ export interface EncryptedMessageObject {
 	};
 }
 
-export const encryptAES256GCMWithPassword = async (
+export const encryptAES128GCMWithPassword = async (
 	plainText: string | Buffer,
 	password: string,
 	options?: {
@@ -88,8 +88,8 @@ export const encryptAES256GCMWithPassword = async (
 	},
 ): Promise<EncryptedMessageObject> => {
 	const kdf = options?.kdf ?? KDF.ARGON2;
-	const IV_BUFFER_SIZE = 12;
-	const SALT_BUFFER_SIZE = 16;
+	const IV_BUFFER_SIZE = 16;
+	const SALT_BUFFER_SIZE = 8;
 	const salt = crypto.randomBytes(SALT_BUFFER_SIZE);
 	const iv = crypto.randomBytes(IV_BUFFER_SIZE);
 	const iterations =
@@ -106,7 +106,7 @@ export const encryptAES256GCMWithPassword = async (
 					memorySize,
 			  })
 			: getKeyFromPassword(password, salt, iterations);
-	const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+	const cipher = crypto.createCipheriv('aes-128-gcm', key.slice(0, 16), iv);
 	const firstBlock = Buffer.isBuffer(plainText)
 		? cipher.update(plainText)
 		: cipher.update(plainText, 'utf8');
@@ -143,16 +143,16 @@ const getTagBuffer = (tag: string): Buffer => {
 };
 
 // Using `function` for overloading typescript
-export async function decryptAES256GCMWithPassword(
+export async function decryptAES128GCMWithPassword(
 	encryptedMessage: EncryptedMessageObject,
 	password: string,
 ): Promise<Buffer>;
-export async function decryptAES256GCMWithPassword(
+export async function decryptAES128GCMWithPassword(
 	encryptedMessage: EncryptedMessageObject,
 	password: string,
 	encoding: 'utf8' | 'utf-8',
 ): Promise<string>;
-export async function decryptAES256GCMWithPassword(
+export async function decryptAES128GCMWithPassword(
 	encryptedMessage: EncryptedMessageObject,
 	password: string,
 	encoding?: 'utf8' | 'utf-8',
@@ -176,7 +176,7 @@ export async function decryptAES256GCMWithPassword(
 			  })
 			: getKeyFromPassword(password, hexToBuffer(salt, 'Salt'), iterations);
 
-	const decipher = crypto.createDecipheriv('aes-256-gcm', key, hexToBuffer(iv, 'IV'));
+	const decipher = crypto.createDecipheriv('aes-128-gcm', key.slice(0, 16), hexToBuffer(iv, 'IV'));
 	decipher.setAuthTag(tagBuffer);
 	const firstBlock = decipher.update(hexToBuffer(ciphertext, 'Cipher text'));
 	const decrypted = Buffer.concat([firstBlock, decipher.final()]);
@@ -188,9 +188,9 @@ export async function decryptAES256GCMWithPassword(
 	return decrypted;
 }
 
-export const encryptMessageWithPassword = encryptAES256GCMWithPassword;
+export const encryptMessageWithPassword = encryptAES128GCMWithPassword;
 
-export const decryptMessageWithPassword = decryptAES256GCMWithPassword;
+export const decryptMessageWithPassword = decryptAES128GCMWithPassword;
 
 const parseOption = (optionString?: string): number | undefined => {
 	const option = !optionString ? undefined : parseInt(optionString, 10);

diff --git a/elements/lisk-cryptography/test/encrypt.spec.ts b/elements/lisk-cryptography/test/encrypt.spec.ts
@@ -65,7 +65,7 @@ describe('encrypt', () => {
 			it('should encrypt a passphrase', () => {
 				expect(encryptedMessage).toHaveProperty('ciphertext');
 				expect(regHexadecimal.test(encryptedMessage.cipherparams.iv)).toBe(true);
-				expect(encryptedMessage.cipherparams.iv).toHaveLength(24);
+				expect(encryptedMessage.cipherparams.iv).toHaveLength(32);
 			});
 
 			it('should encrypt bytes', async () => {
@@ -74,17 +74,17 @@ describe('encrypt', () => {
 				});
 				expect(encryptedMessage).toHaveProperty('ciphertext');
 				expect(regHexadecimal.test(encryptedMessage.cipherparams.iv)).toBe(true);
-				expect(encryptedMessage.cipherparams.iv).toHaveLength(24);
+				expect(encryptedMessage.cipherparams.iv).toHaveLength(32);
 			});
 
 			it('should output the IV', () => {
 				expect(encryptedMessage.cipherparams).toHaveProperty('iv');
-				expect(encryptedMessage.cipherparams.iv).toHaveLength(24);
+				expect(encryptedMessage.cipherparams.iv).toHaveLength(32);
 			});
 
 			it('should output the salt', () => {
 				expect(encryptedMessage.kdfparams).toHaveProperty('salt');
-				expect(encryptedMessage.kdfparams.salt).toHaveLength(32);
+				expect(encryptedMessage.kdfparams.salt).toHaveLength(16);
 			});
 
 			it('should output the tag', () => {
@@ -118,22 +118,22 @@ describe('encrypt', () => {
 
 			beforeEach(() => {
 				encryptedMessage = {
-					version: '1',
 					ciphertext:
-						'866c6f1cab3ef67514bdc54cf0143b8b824ebe7c045efb97707c158c81d313cd1a6399b7aa3002248984d39ea2604b0263fe7bdbd8cb04286a9cbd2d353fc79908daab9af04b2528bf4f06a82d79483c',
-					mac: 'a476979ca68fe90f3c96f8a5f3f0a9fe33aef8b091d1169861e44a11a680aae9',
-					cipher: Cipher.AES256GCM,
-					cipherparams: {
-						iv: 'da7a74acbf34d20ffd3658f9',
-						tag: 'f4282899ed6cb0193e2981dca0d2ae8e',
-					},
+						'fc17353ac21dbdaa8b2c8a09d1ee7ded3e64559922d679e7fd382ac403247bd41389d32c7bc98bfa8f74a141b3946549b0d4ecdc995f130b321274484784f7bc4ac383491cb1010ead36abf91f0cf8be',
+					mac: '61792857203a0860c12ff9ed8dcb70db7240f1dfb28d6ddb8c7478e23c1fe029',
 					kdf: KDF.ARGON2,
 					kdfparams: {
 						parallelism: 4,
 						iterations: 1,
-						memorySize: 2024,
-						salt: '2d4d7f0b7c68ccd977eae30ee10726f3',
+						memorySize: 2097023,
+						salt: '35e8e6305e6577f0',
 					},
+					cipher: Cipher.AES256GCM,
+					cipherparams: {
+						iv: 'bc47f1c691d2e60e59ba6e54a78442fe',
+						tag: '965a1c13309a5272d1bdf84090736f9e',
+					},
+					version: '1',
 				};
 			});
 
@@ -362,7 +362,7 @@ describe('encrypt', () => {
 
 		it('should parse an encrypted passphrase string', () => {
 			const stringifiedEncryptedPassphrase =
-				'kdf=PBKDF2&cipher=aes-256-gcm&version=1&ciphertext=c0fab123d83c386ffacef9a171b6e0e0e9d913e58b7972df8e5ef358afbc65f99c9a2b6fe7716f708166ed72f59f007d2f96a91f48f0428dd51d7c9962e0c6a5fc27ca0722038f1f2cf16333&mac=ddfgb123d83c386ffacef9a171b6e0e0e9d913e58b7972df8e5ef358afbc65f99c9a2b6fe7716f708166ed72f59f007d2f96a91f48f0428dd51d7c9962e0c6a5fc27ca0722038f1f2cf16333&salt=e8c7dae4c893e458e0ebb8bff9a36d84&iv=1a2206e426c714091b7e48f6&tag=3a9d9f9f9a92c9a58296b8df64820c15';
+				'kdf=PBKDF2&cipher=aes-128-gcm&version=1&ciphertext=c0fab123d83c386ffacef9a171b6e0e0e9d913e58b7972df8e5ef358afbc65f99c9a2b6fe7716f708166ed72f59f007d2f96a91f48f0428dd51d7c9962e0c6a5fc27ca0722038f1f2cf16333&mac=ddfgb123d83c386ffacef9a171b6e0e0e9d913e58b7972df8e5ef358afbc65f99c9a2b6fe7716f708166ed72f59f007d2f96a91f48f0428dd51d7c9962e0c6a5fc27ca0722038f1f2cf16333&salt=e8c7dae4c893e458e0ebb8bff9a36d84&iv=1a2206e426c714091b7e48f6&tag=3a9d9f9f9a92c9a58296b8df64820c15';
 			const encryptedMessage = {
 				version: '1',
 				ciphertext:
@@ -375,7 +375,7 @@ describe('encrypt', () => {
 					memorySize: ARGON2_MEMORY,
 					parallelism: 4,
 				},
-				cipher: 'aes-256-gcm',
+				cipher: 'aes-128-gcm',
 				cipherparams: {
 					iv: '1a2206e426c714091b7e48f6',
 					tag: '3a9d9f9f9a92c9a58296b8df64820c15',
@@ -386,7 +386,7 @@ describe('encrypt', () => {
 
 		it('should parse an encrypted passphrase string with custom iterations', () => {
 			const stringifiedEncryptedPassphrase =
-				'kdf=PBKDF2&cipher=aes-256-gcm&version=1&ciphertext=c0fab123d83c386ffacef9a171b6e0e0e9d913e58b7972df8e5ef358afbc65f99c9a2b6fe7716f708166ed72f59f007d2f96a91f48f0428dd51d7c9962e0c6a5fc27ca0722038f1f2cf16333&mac=ddfgb123d83c386ffacef9a171b6e0e0e9d913e58b7972df8e5ef358afbc65f99c9a2b6fe7716f708166ed72f59f007d2f96a91f48f0428dd51d7c9962e0c6a5fc27ca0722038f1f2cf16333&salt=e8c7dae4c893e458e0ebb8bff9a36d84&iv=1a2206e426c714091b7e48f6&tag=3a9d9f9f9a92c9a58296b8df64820c15&iterations=12&parallelism=&memorySize=';
+				'kdf=PBKDF2&cipher=aes-128-gcm&version=1&ciphertext=c0fab123d83c386ffacef9a171b6e0e0e9d913e58b7972df8e5ef358afbc65f99c9a2b6fe7716f708166ed72f59f007d2f96a91f48f0428dd51d7c9962e0c6a5fc27ca0722038f1f2cf16333&mac=ddfgb123d83c386ffacef9a171b6e0e0e9d913e58b7972df8e5ef358afbc65f99c9a2b6fe7716f708166ed72f59f007d2f96a91f48f0428dd51d7c9962e0c6a5fc27ca0722038f1f2cf16333&salt=e8c7dae4c893e458e0ebb8bff9a36d84&iv=1a2206e426c714091b7e48f6&tag=3a9d9f9f9a92c9a58296b8df64820c15&iterations=12&parallelism=&memorySize=';
 			const encryptedMessage = {
 				version: '1',
 				ciphertext:
@@ -399,7 +399,7 @@ describe('encrypt', () => {
 					memorySize: ARGON2_MEMORY,
 					parallelism: 4,
 				},
-				cipher: 'aes-256-gcm',
+				cipher: 'aes-128-gcm',
 				cipherparams: {
 					iv: '1a2206e426c714091b7e48f6',
 					tag: '3a9d9f9f9a92c9a58296b8df64820c15',

diff --git a/framework/src/engine/generator/endpoint.ts b/framework/src/engine/generator/endpoint.ts
@@ -140,7 +140,7 @@ export class Endpoint {
 		if (generatorKeys.type === 'plain') {
 			decryptedKeys = generatorKeys.data;
 		} else {
-			const decryptedBytes = await encrypt.decryptAES256GCMWithPassword(
+			const decryptedBytes = await encrypt.decryptAES128GCMWithPassword(
 				generatorKeys.data,
 				req.password,
 			);