Symetric encryption/decryption for PHP and NodeJS communication

encryption.js

'use strict';

const crypto = require('crypto');

const AES_METHOD = 'aes-256-cbc';
const IV_LENGTH = 16; // For AES, this is always 16, checked with php

const password = 'lbwyBzfgzUIvXZFShJuikaWvLJhIVq36'; // Must be 256 bytes (32 characters)

function encrypt(text, password) {
    if (process.versions.openssl <= '1.0.1f') {
        throw new Error('OpenSSL Version too old, vulnerability to Heartbleed')
    }
    
    let iv = crypto.randomBytes(IV_LENGTH);
    let cipher = crypto.createCipheriv(AES_METHOD, new Buffer(password), iv);
    let encrypted = cipher.update(text);

    encrypted = Buffer.concat([encrypted, cipher.final()]);

    return iv.toString('hex') + ':' + encrypted.toString('hex');
}

function decrypt(text) {
    let textParts = text.split(':');
    let iv = new Buffer(textParts.shift(), 'hex');
    let encryptedText = new Buffer(textParts.join(':'), 'hex');
    let decipher = crypto.createDecipheriv('aes-256-cbc', new Buffer($password), iv);
    let decrypted = decipher.update(encryptedText);

    decrypted = Buffer.concat([decrypted, decipher.final()]);

    return decrypted.toString();
}

encryption.php

<?php

define('AES_METHOD', 'aes-256-cbc');

$password = 'lbwyBzfgzUIvXZFShJuikaWvLJhIVq36';

function encrypt($message, $password)
{
    if (OPENSSL_VERSION_NUMBER <= 268443727) {
        throw new RuntimeException('OpenSSL Version too old, vulnerability to Heartbleed');
    }
    
    $iv_size        = openssl_cipher_iv_length(AES_METHOD);
    $iv             = openssl_random_pseudo_bytes($iv_size);
    $ciphertext     = openssl_encrypt($message, AES_METHOD, $password, OPENSSL_RAW_DATA, $iv);
    $ciphertext_hex = bin2hex($ciphertext);
    $iv_hex         = bin2hex($iv);
    return "$iv_hex:$ciphertext_hex";
}
function decrypt($ciphered, $password) {
    $iv_size    = openssl_cipher_iv_length(AES_METHOD);
    $data       = explode(":", $ciphered);
    $iv         = hex2bin($data[0]);
    $ciphertext = hex2bin($data[1]);
    return openssl_decrypt($ciphertext, AES_METHOD, $password, OPENSSL_RAW_DATA, $iv);
}

Fixed the .js decrypt function

• it fixes the variable error
• it fixes the function 2nd argument not being there (password)
• it fixed deprecation warnings and uses the new forms of buffer
  

function decrypt(text, password){
    let textParts = text.split(':');
    let iv = Buffer.from(textParts.shift(), 'hex');
    let encryptedText = Buffer.from(textParts.join(':'), 'hex');
    let decipher = crypto.createDecipheriv('aes-256-cbc', Buffer.from(password), iv);
    let decrypted = decipher.update(encryptedText);

    decrypted = Buffer.concat([decrypted, decipher.final()]);

    return decrypted.toString();
}

Hello,

Thanks for implementation in PHP & NodeJS.

But now i need implementation of decryption in Browser Javascript using CryptoJS library, i have written below code but its not working, just returning empty string, see if any body can make it work:

<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js"></script>
<script>
function decrypt (encrypted) {
	encrypted = encrypted.split(':');
	let key = CryptoJS.enc.Utf8.parse('1234567890abcdefghijklmnopqrstuv');
	let iv = CryptoJS.enc.Hex.parse(encrypted.shift());
	let data = CryptoJS.enc.Hex.parse(encrypted.join(':'));
	data = CryptoJS.AES.decrypt({
            ciphertext: data
        },key,{iv:iv}).toString(CryptoJS.enc.Utf8);
        return data;
}
</script>

EDITED: The above code is now working, just have to provide "data" (actual encrypted string) inside an object under key "ciphertext" as a first paramater to decrypt function instead of directly passing "data".

Clear the buffer issue between old and new version of the system
https://stackoverflow.com/questions/52165333/deprecationwarning-buffer-is-deprecated-due-to-security-and-usability-issues

How can I make the above code work for large files? I get different chunks when using php and nodejs.