1

I am facing up a bit of a wall trying to send encrypted data over to a remote server using the NodeJs crypto module.

According to the API docs, the payload needs to be encrypted using the AES-256 algorithm with randomly generated KEY and IV.

The randomly generated KEY and IV [above] are then encrypted with a shared private key using the RSAES-PKCS1-V1_5 standard.

Finally, the encrypted payload is signed with the private key, using the RSASSA-PKCS1-V1_5 signature scheme and then SHA1 hashed.

Once that is done, I compose an HTTP request and pass the encrypted KEY, IV, encrypted payload and the signature to the remove server.

I am not an expert when it comes to cryptography, so I am convinced that I am doing something wrong somewhere.

The server is able to verify the signature, which gives me confidence that there is no problem with the shared private key file.

However, the server fails to decrypt the encrypted KEY and IV which are needed to decrypt the payload.

I am using the code below for testing:

const crypto = require('crypto');
const fs = require('fs');

//Generate random KEY and IV
const randomKey = crypto.randomBytes(32);
const randomIV = crypto.randomBytes(16);

//Load private key from disk
const privateKey = fs.readFileSync(__dirname + '/private.key');

//Get data payload that should be encrypted with AES-256
const payload = 'Payload to be sent';

//Encrypt payload with AES-256
const cipher = crypto.createCipheriv('aes-256-cbc', randomKey, randomIV);
const encryptedPayload = Buffer.concat([cipher.update(payload), cipher.final()]);

//Sign the encrypted payload using the RSASSA-PKCS1-V1_5 algorithm
const signer = crypto.createSign('RSA-SHA1');
signer.update(encryptedPayload);
signer.end();
const signature = signer.sign(privateKey); //Sign with the private key

//Encrypt both KEY and IV
const encryptOptions = {
  key: privateKey,
  padding: constants.RSA_PKCS1_PADDING
}
const encryptedKey = crypto.publicEncrypt(encryptOptions, randomKey);
const encryptedIV = crypto.publicEncrypt(encryptOptions, randomIV);

//A function that encodes Buffer type data to base64
const encode = buffer => buffer.toString('base64');

const request = {
  encryptedKey: encode(encryptedKey),
  encryptedIV: encode(encryptedIV),
  encryptedPayload: encode(encryptedPayload),
  signature: encode(signature)
};

const endPoint = require('./end-point');
endPoint.call(request);
//-> Server successfully verifies signature but fails to decrypt encrypted KEY and IV

Could someone point me to where I am doing it wrong?

bentesha
  • 898
  • 9
  • 14
  • "The randomly generated KEY and IV [above] are then encrypted with a shared private key" This is likely to be an error and must be encrypted with the public key. But if the documentation is correct, then you are using `crypto.publicEncrypt ()` with a private key. There is probably a corresponding `crypto.privateEncrypt` that you can use – pedrofb Feb 07 '19 at 16:38
  • @pedrofb RSA public key is derivable from private key, so private key may be passed instead whenever public key is specified – bentesha Feb 07 '19 at 20:09

0 Answers0