From 85d2d73540551906e7abbc2008d153d079e5f79e Mon Sep 17 00:00:00 2001 From: Nikhil Shahi Date: Thu, 22 Sep 2022 19:29:12 -0500 Subject: [PATCH] use des-ecb algo for encrypting uniqueSessionId --- .../services/authentication-config/index.ts | 52 ++++--------------- backend/src/utils/encryption.ts | 9 ++++ common/src/types.ts | 8 +-- 3 files changed, 20 insertions(+), 49 deletions(-) diff --git a/backend/src/services/authentication-config/index.ts b/backend/src/services/authentication-config/index.ts index 5fd55144..da413dca 100644 --- a/backend/src/services/authentication-config/index.ts +++ b/backend/src/services/authentication-config/index.ts @@ -2,7 +2,7 @@ import { AuthType } from "@common/enums" import { SessionMeta } from "@common/types" import { AppDataSource } from "data-source" import { ApiTrace, AuthenticationConfig } from "models" -import { encrypt, generate_iv } from "utils/encryption" +import { encryptEcb } from "utils/encryption" export class AuthenticationConfigService { static async setSessionMetadata(apiTrace: ApiTrace) { @@ -14,8 +14,6 @@ export class AuthenticationConfigService { return } const key = process.env.ENCRYPTION_KEY - const encryptionKey = Buffer.from(key, "base64") - const keypairIv = generate_iv() const requestHeaders = apiTrace.requestHeaders const successfulAuth = @@ -35,20 +33,12 @@ export class AuthenticationConfigService { const decodedUser = Buffer.from(encodedValue, "base64") ?.toString() ?.split(":")[0] - const { encrypted, tag } = encrypt( - encodedValue, - encryptionKey, - keypairIv, - ) + const encrypted = encryptEcb(encodedValue, key) sessionMeta = { authenticationProvided: true, authenticationSuccessful: successfulAuth, authType: authConfig.authType, - uniqueSession: { - key: encrypted, - iv: keypairIv.toString("base64"), - tag: tag.toString("base64"), - }, + uniqueSessionKey: encrypted, user: decodedUser, } } @@ -57,20 +47,12 @@ export class AuthenticationConfigService { const authHeader = authConfig.headerKey ?? "" if (header.name.toLowerCase() === authHeader.toLowerCase()) { const headerValue = header.value - const { encrypted, tag } = encrypt( - headerValue, - encryptionKey, - keypairIv, - ) + const encrypted = encryptEcb(headerValue, key) sessionMeta = { authenticationProvided: true, authenticationSuccessful: successfulAuth, authType: authConfig.authType, - uniqueSession: { - key: encrypted, - iv: keypairIv.toString("base64"), - tag: tag.toString("base64"), - }, + uniqueSessionKey: encrypted, } } break @@ -78,40 +60,24 @@ export class AuthenticationConfigService { const cookieName = authConfig?.cookieName ?? "" if (header.name.toLowerCase() === cookieName.toLowerCase()) { const cookieValue = header.value - const { encrypted, tag } = encrypt( - cookieValue, - encryptionKey, - keypairIv, - ) + const encrypted = encryptEcb(cookieValue, key) sessionMeta = { authenticationProvided: true, authenticationSuccessful: successfulAuth, authType: authConfig.authType, - uniqueSession: { - key: encrypted, - iv: keypairIv.toString("base64"), - tag: tag.toString("base64"), - }, + uniqueSessionKey: encrypted, } } break case AuthType.JWT: const jwtHeader = authConfig.headerKey ?? "" if (header.name.toLowerCase() === jwtHeader.toLowerCase()) { - const { encrypted, tag } = encrypt( - header.value, - encryptionKey, - keypairIv, - ) + const encrypted = encryptEcb(header.value, key) sessionMeta = { authenticationProvided: true, authenticationSuccessful: successfulAuth, authType: authConfig.authType, - uniqueSession: { - key: encrypted, - iv: keypairIv.toString("base64"), - tag: tag.toString("base64"), - }, + uniqueSessionKey: encrypted, } const decodedPayload = JSON.parse( Buffer.from( diff --git a/backend/src/utils/encryption.ts b/backend/src/utils/encryption.ts index 1802ea16..289f193d 100644 --- a/backend/src/utils/encryption.ts +++ b/backend/src/utils/encryption.ts @@ -1,6 +1,7 @@ import crypto from "crypto" const algorithm = "aes-256-gcm" +const ecbAlgorithm = "des-ecb" /** encrypts ascii/utf-8 text into a base64-encoded string */ const encrypt = ( @@ -14,6 +15,14 @@ const encrypt = ( return { encrypted: enc, tag: cipher.getAuthTag() } } +export const encryptEcb = (text: string, key: string): string => { + const keyBuffer = Buffer.from(key, "base64").subarray(0, 8) + const cipher = crypto.createCipheriv(ecbAlgorithm, keyBuffer, null) + let enc = cipher.update(text, "utf8", "base64") + enc += cipher.final("base64") + return enc +} + /** decrypt decodes base64-encoded ciphertext into a utf8-encoded string */ const decrypt = ( encrypted: string, diff --git a/common/src/types.ts b/common/src/types.ts index 5ab038da..1e580da7 100644 --- a/common/src/types.ts +++ b/common/src/types.ts @@ -30,13 +30,9 @@ export interface Meta { export interface SessionMeta { authenticationProvided: boolean - authenticationSuccessful?: boolean + authenticationSuccessful: boolean authType: AuthType - uniqueSession?: { - key: string - iv: string - tag: string - } + uniqueSessionKey?: string user?: string }