Nonce for AES encryption

[chrisveness]

Your Node.js aes encryption examples appeared very high in Google search results, and I found them very helpful – thanks!

However, playing around with it I noticed that the same ciphertext is generated each time, which is certainly not best practice...

Going through the Node crypto documentation, I noticed they say:

The implementation of crypto.createCipher() derives keys using the OpenSSL function EVP_BytesToKey with the digest algorithm set to MD5, one iteration, and no salt. The lack of salt allows dictionary attacks as the same password always creates the same key. The low iteration count and non-cryptographically secure hash algorithm allow passwords to be tested very rapidly.

In line with OpenSSL's recommendation to use pbkdf2 instead of EVP_BytesToKey it is recommended that developers derive a key and IV on their own using crypto.pbkdf2 and to use [crypto.createCipheriv()][] to create the Cipher object.

Deriving IVs seems rather involved. Do you have any examples of how to do this?

[chrisveness]

Browsing your examples further, I see you use a straightforward string as an IV for createCipheriv() (in the GCM example). Is it simpler than the Node.js documentation makes it sound? Elsewhere I've use a millisecond timestamp together with a random number as a CTR-mode nonce. An 'encrypt' function might then look like:

function encrypt(plaintext, password)
    var pwBinary = new Buffer(password, 'utf-8').toString('binary');
    var iv = new Date().getTime().toString(36) + Math.floor(Math.random()*0xffff).toString(36);
    var cipher = crypto.createCipheriv('aes-256-ctr', pwBinary, iv);
    var encr = cipher.update(plaintext, 'utf8', 'base64') + cipher.final('base64');
    return encr;
}

Does that look sensible to you?

One more question: I can't see why an IV needs to be supplied to the decrypt function. Does createCipheriv() not store the IV as part of the ciphertext?