Is the encryption in my code secure?

A

arseniylebedev2019-02-23 12:29:56

JavaScript

arseniylebedev, 2019-02-23 12:29:56

Good day! Wrote a simple messenger with aes encryption. Encryption works like this:
1) When connecting, the server generates new RSA keys for the client, sends the public RSA key to the client.
2) The client generates an AES 256 key, encrypts it with a public RSA key and sends it to the server.
3) Further, the message exchange is carried out using the AES key.

Server

const app = require('express')();
const http = require('http').Server(app);
const io = require('socket.io')(http);
const aes256 = require('aes256');
const NodeRSA = require('node-rsa');
const crypto = require('crypto');
const clients = require('./clients');

app.get('/', function(req, res){
    res.send('Messenger srv :)')
});

io.on('connection', function(socket){
    const socket_data = {
        socket: socket,
        rsa_key: new NodeRSA({b: 1024}),
        aes_key: undefined,
        aes_sipher: undefined,
        aes_test: crypto.randomBytes(64).toString('hex'),
    };

    clients.addClient(socket.id, socket_data);

    const addr = socket.handshake.address;
    console.log('IP ' + addr + ' connected!');

    socket.emit('rsa_public_swap', socket_data.rsa_key.exportKey('pkcs8-public-pem'));

    socket.on('aes_swap', function (data) {
        socket_data.aes_key = socket_data.rsa_key.decrypt(data, 'utf8');
        socket_data.aes_sipher = aes256.createCipher(socket_data.aes_key);
        socket_data.aes_test = crypto.randomBytes(64).toString('hex');
        clients.modifyClient(socket.id, socket_data);
        socket.emit('aes_test', socket_data.aes_sipher.encrypt(socket_data.aes_test));
    });

    socket.on('aes_test', function (data) {
        data = socket_data.aes_sipher.decrypt(data);

        socket_data.aes_test += '1';

        if (socket_data.aes_test !== data) {
            socket.disconnect();
        } else {
            socket_data.rsa_key = undefined;
            socket_data.aes_test = undefined;
            clients.modifyClient(socket.id, socket_data);
        }
    });

    socket.on('all_chat', function (data) {
        data = socket_data.aes_sipher.decrypt(data);

        for (const index in clients.getClients()) {
            const client = clients.getClients()[index];

            // if (client.socket.id === socket.id) continue;

            client.socket.emit('all_chat', client.aes_sipher.encrypt(data));
        }
    });

    socket.on('disconnect', function () {
        clients.removeClient(socket.id);
    });
});

http.listen(3000, function(){
    console.log('listening on *:3000');
});

Customer

const io = require('socket.io-client');
const aes256 = require('aes256');
const NodeRSA = require('node-rsa');
const crypto = require('crypto');
const readline = require('readline');

const socket = io('http://localhost:3000');
let rsa_key = undefined;
let aes_key = undefined;
let aes_sipher = undefined;

socket.on('connect', function() {
    console.log('Connected!');

    const rl = readline.createInterface({
        input: process.stdin,
        output: process.stdout
    });

    rl.on('line', (line) => {
        if (line.length === 0) return;

        socket.emit('all_chat', aes_sipher.encrypt(line));
    });
});

socket.on('rsa_public_swap', function(data) {
    console.log('Получил RSA public key...');
    
    rsa_key = new NodeRSA();
    rsa_key.importKey(data);
    
    console.log(rsa_key.encrypt('test', 'base64'));
    console.log('Импортировал RSA public key');

    console.log('Генерирую AES 256 ключ');
    aes_key = crypto.randomBytes(256).toString('hex');
    aes_sipher = aes256.createCipher(aes_key);
    console.log('Сгенерировал AES 256 ключ');

    console.log('Обмениваюсь AES 256 ключем с сервером');

    socket.emit('aes_swap', rsa_key.encrypt(aes_key, 'base64'))
});

socket.on('aes_test', function(data) {
    console.log('Проверяю RSA шифрование с сервером');
    data = aes_sipher.decrypt(data);

    data += '1';

    socket.emit('aes_test', aes_sipher.encrypt(data));
    console.log('Отправил пакет проверки RSA шифрования серверу. Если нас не дисконнектнет то проверка пройдена.');
});

socket.on('all_chat', function(data) {
    data = aes_sipher.decrypt(data);
    console.log(data);
});

socket.on('disconnect', function() {
    console.log('Disconnected!');
});

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

CHolfield, 2019-02-23
@arseniylebedev

Apparently, you took an example from the Internet or xs from somewhere, and do not fully understand the principles of secure information exchange using cryptography.
In general, your code is correct, it will work. But you need to do it a little differently.
Mandatory requirements:
1. The public key of the server must be embedded in the client part. The public key of the client must be known to the server before the start of communication (this is called a key exchange over a secure channel). Or raise your Certification Authority and build a public key infrastructure and trust space based on the Certificate Trust List.
2. Each new communication session must begin with the generation of a new AES key and initialization vector.
3. Each packet of sent data must be signed with an electronic signature (sender's secret key) and encrypted with an AES key. Also, each packet must contain an AES session key encrypted with the recipient's public key and an initialization vector encrypted in the same way.
4. The receiving party decrypts the AES key and the initialization vector with its secret key, decrypts the data with the session key, verifies the data signature using the sender's certificate, and processes the data if the result is positive.
something like this.