Transparent crypto support (#314)

The following functionality is included:
 - Symmetric encryption of session data following OWASP recommendations.
 - Updates to readme providing crypto options
 - Key derivation to strengthen provided secret in accordance with NIST SP 800-108 & 800-56c
 - Unique IV conforming to RFC 4309 & NIST SP 800-38d
 - Support for varying symmetric algorithms, key, iv & authentication tag sizes, hashing algorithms & ciphertext encoding
 - Test harness for crypto class as well as using transparent crypto functionality

Author: jas-

README.md

@@ -214,6 +214,18 @@ app.use(express.session({
 
 by doing this, setting `touchAfter: 24 * 3600` you are saying to the session be updated only one time in a period of 24 hours, does not matter how many request's are made (with the exception of those that change something on the session data)
 
+
+## Transparent encryption/decryption of session data
+
+When working with sensitive session data it is [recommended](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md) to use encryption
+
+```js
+const store = new MongoStore({
+  url: 'mongodb://localhost/test-app',
+  secret: 'squirrel'
+})
+```
+
 ## More options
 
   - `collection` Collection (default: `sessions`)
@@ -234,6 +246,15 @@ by doing this, setting `touchAfter: 24 * 3600` you are saying to the session be
                 from the `writeOperationOptions` object will get overwritten.
   - `transformId` (optional) Transform original sessionId in whatever you want to use as storage key.
 
+## Crypto options
+  - `secret` (optional) Enables transparent crypto in accordance with [OWASP session management recommendations](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md).
+  - `algorithm` (optional) Allows for changes to the default symmetric encryption cipher; default is `GCM`. See `crypto.getCiphers()` for supported algorithms.
+  - `hashing` (optional) May be used to change the default hashing algorithm; default is `sha512`. See `crypto.getHashes()` for supported hashing algorithms.
+  - `encodeas` (optional) Specify to change the session data cipher text encoding. Default is `hex`.
+  - `key_size` (optional) When using varying algorithms the key size may be used. Default is `32` based on the `AES` blocksize.
+  - `iv_size` (optional) This can be used to adjust the default [IV](https://csrc.nist.gov/glossary/term/IV) size if a different algorithm requires a different size. Default is `16`.
+  - `at_size` (optional) When using newer `AES` modes such as the default `GCM` or `CCM` an authentication tag size can be defined; default is `16`.
+
 ## Tests
 
     npm test

src/crypto.js

@@ -0,0 +1,133 @@
+'use strict'
+
+class Crypto {
+  init(options) {
+    this.crypto = require('crypto')
+    this.algorithm = options.algorithm || 'aes-256-gcm'
+    this.hashing = options.hashing || 'sha512'
+    this.encodeas = options.encodeas || 'hex'
+    this.iv_size = options.iv_size || 16
+    this.at_size = options.at_size || 16
+    this.key_size = options.key_size || 32
+    this.secret = this._derive_key(options.secret) || false
+  }
+
+  set(plaintext) {
+    let iv = this.crypto.randomBytes(this.iv_size).toString(this.encodeas),
+        aad = this._digest(iv+this.secret, JSON.stringify(plaintext),
+                          this.hashing, this.encodeas),
+        ct = this._encrypt(this.secret, JSON.stringify(plaintext),
+                          this.algorithm, this.encodeas, iv, aad),
+        hmac = this._digest(this.secret, ct.ct, this.hashing, this.encodeas)
+
+    let obj = JSON.stringify({
+      hmac: hmac,
+      ct: ct.ct,
+      at: ct.at,
+      aad: aad,
+      iv: iv
+    })
+
+    return obj
+  }
+    
+  get(ciphertext) {
+    let ct, hmac, pt, sid, session
+
+    if (ciphertext)
+      try {
+        ct = JSON.parse(ciphertext)
+      } catch(err) {
+        ct = ciphertext
+      }
+
+    hmac = this._digest(this.secret, ct.ct, this.hashing, this.encodeas)
+
+    if (hmac != ct.hmac)
+      throw 'Encrypted session was tampered with!'
+
+    if (ct.at)
+      ct.at = Buffer.from(ct.at)
+
+    pt = this._decrypt(this.secret, ct.ct, this.algorithm, this.encodeas,
+                      ct.iv, ct.at, ct.aad)
+
+    return pt
+  }
+
+  _digest(key, obj, hashing, encodeas) {
+    let hmac = this.crypto.createHmac(this.hashing, key)
+    hmac.setEncoding(encodeas)
+    hmac.write(obj)
+    hmac.end()
+    return hmac.read().toString(encodeas)
+  }
+
+  _encrypt(key, pt, algo, encodeas, iv, aad) {
+    let cipher = this.crypto.createCipheriv(algo, key, iv, {
+      authTagLength: this.at_size
+    }), ct, at
+
+    if (aad) {
+      try {
+        cipher.setAAD(Buffer.from(aad), {
+          plaintextLength: Buffer.byteLength(pt)
+        })
+      } catch(err) {
+        throw err
+      }
+    }
+
+    ct = cipher.update(pt, 'utf8', encodeas)
+    ct += cipher.final(encodeas)
+
+    try {
+      at = cipher.getAuthTag()
+    } catch(err) {
+      throw err
+    }
+
+    return (at) ? {'ct': ct, 'at': at} : {'ct': ct}
+  }
+
+  _decrypt(key, ct, algo, encodeas, iv, at, aad) {
+    let cipher = this.crypto.createDecipheriv(algo, key, iv), pt
+
+    if (at) {
+      try {
+        cipher.setAuthTag(Buffer.from(at))
+      } catch(err) {
+        throw err
+      }
+    }
+
+    if (aad) {
+      try {
+        cipher.setAAD(Buffer.from(aad), {
+          plaintextLength: Buffer.byteLength(ct)
+        })
+      } catch(err) {
+        throw err
+      }
+    }
+
+    pt = cipher.update(ct, encodeas, 'utf8')
+    pt += cipher.final('utf8')
+
+    return pt
+  }
+
+  _derive_key(secret) {
+    let key, hash, salt
+
+    hash = this.crypto.createHash(this.hashing)
+    hash.update(secret)
+    salt = hash.digest(this.encodeas).substr(0, 16)
+
+    key = this.crypto.pbkdf2Sync(secret, salt, 10000, 64, this.hashing)
+
+    return key.toString(this.encodeas).substr(0, this.key_size)
+  }
+}
+
+module.exports = new Crypto

src/index.js

@@ -67,14 +67,24 @@ module.exports = function (connect) {
 
       super(options)
 
+      /* Use crypto? */
+      if (options.secret) {
+        try {
+          this.Crypto = require('./crypto.js')
+          this.Crypto.init(options)
+          delete options.secret
+        } catch(error) {
+          throw error
+        }
+      }
+
       /* Options */
       this.ttl = options.ttl || 1209600 // 14 days
       this.collectionName = options.collection || 'sessions'
       this.autoRemove = options.autoRemove || 'native'
       this.autoRemoveInterval = options.autoRemoveInterval || 10 // minutes
       this.writeOperationOptions = options.writeOperationOptions || {}
       this.transformFunctions = computeTransformFunctions(options)
-
       this.options = options
 
       this.changeState('init')
@@ -198,6 +208,16 @@ module.exports = function (connect) {
         }))
         .then(session => {
           if (session) {
+
+            if (this.Crypto) {
+              try {
+                let tmp_session = this.transformFunctions.unserialize(session.session)
+                session.session = this.Crypto.get(tmp_session)
+              } catch(error) {
+                return callback(error)
+              }
+            }
+
             const s = this.transformFunctions.unserialize(session.session)
             if (this.options.touchAfter > 0 && session.lastModified) {
               s.lastModified = session.lastModified
@@ -217,6 +237,14 @@ module.exports = function (connect) {
 
       let s
 
+      if (this.Crypto) {
+        try {
+          session = this.Crypto.set(session)
+        } catch(error) {
+          return callback(error)
+        }
+      }
+
       try {
         s = {_id: this.computeStorageId(sid), session: this.transformFunctions.serialize(session)}
       } catch (err) {
@@ -344,3 +372,4 @@ module.exports = function (connect) {
 
   return MongoStore
 }
+

test/crypto.js

@@ -0,0 +1,77 @@
+'use strict'
+
+const expect = require('expect.js')
+const Crypto = require('../src/crypto.js')
+
+const options = {
+  secret: 'squirrel'
+}
+
+Crypto.init(options)
+
+let hmac
+
+describe('Crypto', () => {
+  let ct, pt
+
+  it('Encrypt data', done => {
+    ct = JSON.parse(Crypto.set('123, easy as ABC. ABC, easy as 123'))
+    expect(ct).to.have.property('ct')
+    expect(ct).to.have.property('iv')
+    expect(ct).to.have.property('hmac')
+    done()
+  })
+
+  it('Decrypt data', done => {
+    pt = Crypto.get(JSON.stringify(ct))
+    expect(pt).to.match(/123, easy as ABC. ABC, easy as 123/)
+    done()
+  })
+
+  it('HMAC validation', done => {
+    hmac = ct.hmac
+    ct.hmac = 'funky chicken'
+    ct = JSON.stringify(ct)
+
+    try {
+      pt = Crypto.get(ct)
+    } catch(err) {
+      expect(err).to.equal('Encrypted session was tampered with!')
+    }
+    done()
+  })
+
+  it('Authentication tag validation', done => {
+    ct = JSON.parse(ct)
+    ct.hmac = hmac
+  
+    if (!ct.at)
+      done()
+    
+    ct.at = 'funky chicken'
+    ct = JSON.stringify(ct)
+
+    try {
+      pt = Crypto.get(ct)
+    } catch(err) {
+      expect(err).to.match(/Unsupported state or unable to authenticate data/)
+    }
+    done()
+  })
+
+  it('Additional authentication data validation', done => {
+    ct = JSON.parse(ct)
+
+    if (!ct.aad) done()
+    
+    ct.aad = 'funky chicken'
+    ct = JSON.stringify(ct)
+
+    try {
+      pt = Crypto.get(ct)
+    } catch(err) {
+      expect(err).to.match(/Unsupported state or unable to authenticate data/)
+    }
+    done()
+  })
+})

test/events.js

@@ -69,3 +69,63 @@ describe('Events', () => {
     })
   })
 })
+
+describe('Events w/ Crypto', () => {
+  let store, collection
+  beforeEach(function (done) {
+    this.timeout(10000)
+    store = new MongoStore({
+      url: connectionString,
+      mongoOptions: { useNewUrlParser: true },
+      collection: 'sessions-test',
+      secret: 'squirrel'
+    })
+    store.once('connected', () => {
+      collection = store.collection
+      collection.deleteMany({}, done)
+    })
+  })
+  afterEach(() => {
+    store.close()
+  })
+
+  describe('set() with an unknown session id', () => {
+    it('should emit a `create` event', done => {
+      store.once('create', sid => {
+        expect(sid).to.be('foo1')
+        done()
+      })
+      store.set('foo1', {foo: 'bar'}, noop)
+    })
+    it('should emit a `set` event', done => {
+      store.once('set', sid => {
+        expect(sid).to.be('foo2')
+        done()
+      })
+      store.set('foo2', {foo: 'bar'}, noop)
+    })
+  })
+
+  describe('set() with a session id associated to an existing session', () => {
+    it('should emit an `update` event', done => {
+      store.once('update', sid => {
+        expect(sid).to.be('foo3')
+        done()
+      })
+      collection.insertOne({_id: 'foo3', session: {foo: 'bar1'}, expires: futureDate}, err => {
+        expect(err).not.to.be.ok()
+        store.set('foo3', {foo: 'bar2'}, noop)
+      })
+    })
+    it('should emit an `set` event', done => {
+      store.once('update', sid => {
+        expect(sid).to.be('foo4')
+        done()
+      })
+      collection.insertOne({_id: 'foo4', session: {foo: 'bar1'}, expires: futureDate}, err => {
+        expect(err).not.to.be.ok()
+        store.set('foo4', {foo: 'bar2'}, noop)
+      })
+    })
+  })
+})