You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sometimes we'll want to encrypt data before inserting it into Postgres.
Other times we'll want to be able to decrypt data outside of Postgres.
Sometimes we won't want IV because we want the "known text attack" - we want to search.
This is all perfectly doable.
Postgres' encrypt functions wrap OpenSSL's envelope functions for which the NULL IV is the same as a full IV with all 0s.
"use strict";letivNull=newUint8Array(16);// 16 zeros is the same as a 0-length `null` iv in C/** @typedef {String} Hex *//** * Encrypts data using AES-CBC with a 128-bit key. * @param {String} data - The plaintext data to encrypt. * @param {Uint8Array} key - The 128-bit encryption key (16 bytes). * @returns {Promise<Hex>} - A promise that resolves to the base64-encoded encrypted data. * @throws {Error} If the key is not 128 bits (16 bytes). */asyncfunctionpgEncryptAesCbc128(data,key){if(key.length!==16){thrownewError("key must be 128 bits (16 bytes)");}letcryptoKey=awaitcrypto.subtle.importKey("raw",key,{name: "AES-CBC"},false,["encrypt"],);letbytes=newTextEncoder().encode(data);letencryptedAb=awaitcrypto.subtle.encrypt({name: "AES-CBC",iv: ivNull},cryptoKey,bytes,);letencryptedBytes=newUint8Array(encryptedAb);returnencryptedBytes;}functionbytesToHex(bytes){leths=[];for(letbofbytes){leth=b.toString(16);h=h.padStart(2,"0");hs.push(h);}lethex=hs.join("");returnhex;}functionhexToBytes(hex){letbufLen=hex.length/2;letbytes=newUint8Array(bufLen);leti=0;letindex=0;letlastIndex=hex.length-2;for(;;){if(i>lastIndex){break;}leth=hex.slice(i,i+2);letb=parseInt(h,16);bytes[index]=b;i+=2;index+=1;}returnbytes;}asyncfunctionmain(){letkeyBytes=hexToBytes("deadbeefbadc0ffee0ddf00dcafebabe");letdata="sensitive data (raw)";constencryptedBytes=awaitpgEncryptAesCbc128(data,keyBytes);lethex=bytesToHex(encryptedBytes);console.log(hex);}main();
I'm not 100% sure, but I believe the NULL IV and all-0s IV work the same because the IV is simply preloading the first block (usually with random data) and I believe that matrix won't change from its initial state if the first block is all 0s (and perhaps any block of all 0s is an identity that produces the same block as the prior block).
The text was updated successfully, but these errors were encountered:
Sometimes we'll want to encrypt data before inserting it into Postgres.
Other times we'll want to be able to decrypt data outside of Postgres.
Sometimes we won't want IV because we want the "known text attack" - we want to search.
This is all perfectly doable.
Postgres' encrypt functions wrap OpenSSL's envelope functions for which the NULL IV is the same as a full IV with all 0s.
Here's a simple test to demonstrate this with webcrypto which works with the examples linked to in #10 and https://github.com/coolaj86/home-sweet-home/pull/4/commits.
I'm not 100% sure, but I believe the NULL IV and all-0s IV work the same because the IV is simply preloading the first block (usually with random data) and I believe that matrix won't change from its initial state if the first block is all 0s (and perhaps any block of all 0s is an identity that produces the same block as the prior block).
The text was updated successfully, but these errors were encountered: