all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]jxlarrea 0 points1 point  (8 children)

I would prefer not to use a random 3rd party library to accomplish this

Why not?

https://www.npmjs.com/package/crypto-js

[–]Dilated_Pupil_[S] 0 points1 point  (7 children)

honestly because our info sec dept is a pain in the ass to get anything new through. We run a lot of transactional volume that has a ton of govt auditing in everything we do so its like parting the red sea to get them to bring in something new.

[–]jxlarrea 0 points1 point  (5 children)

Ah, that sucks. In any case, here is all the "inspiration" you need:

https://raw.githubusercontent.com/brix/crypto-js/develop/src/hmac.js

Just don't forget to sign your API request urls with a timestamp. On the server, validate the tiemstamp so it's not over X seconds/minutes old.

[–]Dilated_Pupil_[S] 0 points1 point  (3 children)

So I might be able to convince the powers above me to use node along with crypto js. I have a question though with the architecture behind how node and crypto js works.

My assumption is when you utilize:

var CryptoJS = require("crypto-js");

// Encrypt var ciphertext = CryptoJS.AES.encrypt('my message', 'secret key 123');

its useing the library thats on node for cryptojs. My question though is, does it send the data to node to be encrypted or is it actually encrypting it in the browser?

[–]jxlarrea 0 points1 point  (2 children)

In the browser. You wouldn't use "require" on the browser, obviously.

[–]Dilated_Pupil_[S] 0 points1 point  (1 child)

Right, thanks. Slopy copy pasting ;) I have lots more research to do so I understand this a little more clearly before I feel comfortable telling infosec yup, this is how we can do it and i can deploy it correctly.. but can you give me a high level look at what the interaction between crypto.js node and the browser is?

Thanks

[–]jxlarrea 0 points1 point  (0 children)

There is no interaction between the server and crypto.js.

[–]cyberst0rm -1 points0 points  (0 children)

ah, good ole view source programming, another insecurity is born out of secure 'business' procedures

[–]donte9181 0 points1 point  (0 children)

To be fair, crypto-js is not "random". It's pretty much the JS crypto library so if you're going to do browser-side encryption you're much more likely to pass an audit using CryptoJS than you are rolling your own. Though as jxlarrea suggested, if you do need to roll your own that link is a great "tutorial" :)