安全发送数据 NODEjs - REST API

Question

I would like to send encrypted / secure data that I send to my REST API. However, I encounter difficulties here and would be very happy about external help. Please note that the code is simplified for better illustration!

Here is the basic structure of the REST API in order to be able to reveal errors / problems of understanding on my part:

Sending the data:

First, I encrypt the relevant data:

 const crypto = require('crypto') const algorithm = 'aes-256-ctr' const secretKey = 'somesecret' const iv = crypto.randomBytes(16) const encrypt = (t) => { const cipher = crypto.createCipheriv(algorithm, secretKey, iv) const encrypted = Buffer.concat([cipher.update(t), cipher.final()]) return { iv: iv.toString('hex'), content: encrypted.toString('hex') } } const regdata = crypto.encrypt(password) //some stuff --> sending data

I then send the data, including the iv and the data to be encrypted, to my API.

 function apicall(data, Method) { data = Object.assign(data, { apisecret: process.env.REACT_APP_APISECRET, cryptokey: process.env.REACT_APP_CRYPTOKEY }) const mydata = fetch(`https://somepublic.url:4400/defined/query/${JSON.stringify(data)}`, { method: Method }) const jdata = JSON.parse(tdata) //some stuff return jdata }

My API looks something like this:

 //require some stuff app.use(express.json()) app.use(function(req, res, next) { res.setHeader('Access-Control-Allow-Origin', '*'); res.setHeader('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE,OPTIONS'); res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Access-Control-Allow-Headers'); next(); }); // ** Select SQL Data app.get('/defined/query/:data', (req, res) => { const data = JSON.parse(req.params.data) if ((data.apisecret != process.env.NODE_APP_APISECRET) || (data.cryptokey != process.env.NODE_APP_CRYPTOKEY)) { throw "Authentication Required" } //do some stuff with encrypted Data .then(response => { res.status(200).send(response); }) .catch(error => { res.status(500).send(error); }) })

It all works, I just don't quite understand what encrypting the data does for me if it can be read out in the URL. If someone uses my APP and reads the full URL with Whireshark & Co., they can

1. read the "process.env.NODE_APP_APISECRET" named by me and thus has access to my API
2. Although this does not have my "secret key", it can read out the "iv", which would also like to be prevented.

However, I have to send the "iv" in the URL, since the data is only decrypted afterwards.

Did I make a mistake in my setup, or generally have a problem understanding the API interface?

Answer 1

You need to consider who you are trying to stop from intercepting the data.

If the goal is to stop third parties intercepting the data between the client and the server then use HTTPS , only use HTTPS, do not roll your own encryption on top of it.

If your goal is to let the client store data on the server without people who have access to the server being able to decrypt it then encrypt it on the client, and do not send the keys to the server.

If your goal is to let multiple clients exchange data without the server being able to decrypt it, then generate keys on each client, share public keys between clients and keep private keys private. Then each client should encrypt the data with the recipient's public key (which can only be decrypted by the recipient's private key).