UNPKG

kruptein

Version:

crypto; from kruptein to hide or conceal

github.com/jas-/kruptein

jas-/kruptein

170 lines (120 loc) โ€ข 7.3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
๐Ÿ” kruptein ======== crypto (krip-toh); from `kruptein` to hide or conceal. [![npm](https://img.shields.io/npm/v/kruptein.svg)](https://npmjs.com/package/kruptein) ![Downloads](https://img.shields.io/npm/dm/kruptein.svg) [![Known Vulnerabilities](https://snyk.io/test/github/jas-/kruptein/badge.svg)](https://snyk.io/test/github/jas-/kruptein) ![Build Status](https://github.com/jas-/kruptein/actions/workflows/node.js.yml/badge.svg) ๐Ÿ”ฌ Sandbox ------- Here you can experiment with the module to ensure it will suit your needs. [kruptein @ codesandbox.io](https://codesandbox.io/p/devbox/romantic-wu-cywk2c) ๐Ÿ—๏ธ Usage ----- When selecting an algorithm from `crypto.getCiphers()` the `iv` and `key_size` values are calculated auto-magically to make implementation easy. You can always define your own if the defaults per algorithm and mode aren't what you would like; see the `options` section above. The `secret` must meet [complexity requirements](https://github.com/jas-/kruptein/blob/5d41a5fa35101112f150c6bf3f757d660f0f3ce1/lib/kruptein.js#L401) ๐Ÿ”’ Encrypt ----------------- An example of creating a new ciphertext object. ```javascript const kruptein = require("kruptein")(opts || {}); let secret = "S3cre+_Squ1rr3l"; kruptein.set(secret, "Some kind of wonderfully private message", (err, ct) => { if (err) throw err; console.log(ct); }); ``` ๐Ÿ”“ Decrypt ------------------ An example of retrieveing plaintext from a ciphertext object. ```javascript const kruptein = require("kruptein")(opts || {}); let ciphertext, secret = "S3cre+_Squ1rr3l"; kruptein.get(secret, ciphertext, (err, pt) => { if (err) throw err; console.log(pt); }); ``` ๐Ÿ‘“ Install ------- To install `npm install kruptein` ๐Ÿ“ฆ Methods ------- * `.set(secret, plaintext, [aad], callback)` * `.get(secret, ciphertext, [{at: auth_tag, aad: aad}], callback)` ๐Ÿ› ๏ธ Options ------- Industry standards are used for the algorithm, hashing algorithm, key & IV sizes. The default key derivation function is `pbkdf2`, however use of the `scrypt` or `argon2` can be used as well. #### Cryptography options * `algorithm`: (Optional) Cipher algorithm from `crypto.getCiphers()`. Default: `aes-256-gcm`. * `hashing`: (Optional) Hash algorithm from `crypto.getHashes()`. Default: `sha384`. * `key_size`: (Optional) Key size bytes (should match block size of algorithm). Default: `32` * `iv_size`: (Optional) IV size bytes. Default: `16`. * `at_size`: (Optional) Authentication tag size. Applicable to `gcm` & `ocb` cipher modes. Default: `128`. #### Key derivation options * `use_scrypt`: (Optional) Use `.scrypt()` to derive a key. Requires node > v10. Default/Fallback: `.pbkdf2()`. * `use_argon2`: (Optional) Use `.argon2id()` to derive a key. Requires node > v24. Default/Fallback: `.pbkdf2()`. #### Encoding options * `encodeas`: (Optional) Output encoding. Currently supports `binary`, `hex`, & `base64`. Default: `base64`. * `use_asn1`: (Optional) Disable the default ASN.1 encoding. Default: true ๐Ÿ“ Options example ----------------- An example of creating a new ciphertext object. ```javascript const opts = { algorithm: 'aes-256-gcm', hashing: 'sha384', key_size: 64, iv_size: 16, at_size: 128, use_argon2: true, encodeas: 'base64', use_asn1: true } const kruptein = require("kruptein")(opts || {}); ``` ๐ŸŒฑ Output ------ The `.set()` method output depends on three factors; the `encodeas`, `algorithm` and `use_asn1`. For any algorithm that supports authentication (AEAD), the object structure includes the `Authentication Tag` and the `Additional Authentication Data` attribute and value. When the `use_asn1` option is enabled (default is true), the result is an [ASN.1](https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/) value using the `encodeas` value. While this is a more complex encoding option, it helps standardize & minimize the size of the resulting ciphertext output. ๐Ÿงช Test harness ------------ The included test harness, invoked with `npm test`, makes every attempt to trap and handle errors. Some of which come from side channel or possible malability of the resultant ciphertext. This can be seen within the `test/index.js` CI test harness under the HMAC, AT & AAD validation test cases. ๐Ÿง  References ----------------------- This module conforms to industry recommendations regarding algorithm type, mode, key size, iv size & implementation, digests, key derivation & management etc. References used provided here: **RFC:** * [RFC 2104](https://tools.ietf.org/html/rfc2104): HMAC: Keyed-Hashing for Message Authentication * [RFC 4086](https://tools.ietf.org/html/rfc4086): Randomness Requirements for Security * [RFC 5084](https://tools.ietf.org/html/rfc5084): Using AES-CCM and AES-GCM Authenticated Encryption * [RFC 7914](https://tools.ietf.org/html/rfc7914): The scrypt Password-Based Key Derivation Function * [RFC 8018](https://tools.ietf.org/html/rfc8018): Password-Based Cryptography Specification * [RFC 9106](https://datatracker.ietf.org/doc/html/rfc9106): Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications * [X.697](https://www.itu.int/rec/T-REC-X.697-201710-I/en): ASN.1 encoding rules: Specifications of JavaScript Object Notation Encoding Rules (JER) **NIST:** * [SP 800-38A](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf): Block cipher modes of operation * [SP 800-38B](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf): Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC * [SP 800-57P1](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf): Recommendations for key management * [SP 800-107](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf): Recommendation for Applications Using Approved Hash Algorithms * [SP 800-108](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-108.pdf): Recommendation for Key Derivation Using Pseudorandom Functions * [SP 800-131A](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf): Transitioning the Use of Cryptographic Algorithms and Key Lengths * [SP 800-132](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf): Recommendation for Password-Based Key Derivation * [SP 800-175B](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-175B.pdf): Guideline for Using Cryptographic Standards in the Federal Government **FIPS:** * [FIPS 197](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf): Advanced Encryption Standard (AES) * [FIPS 198-1](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.198-1.pdf): The Keyed-Hash Message Authentication Code (HMAC) * [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf): Secure Hash Standard (SHS) ๐Ÿ“ก Contributing ------------ Contributions are welcome & appreciated! Refer to the [contributing document](https://github.com/jas-/kruptein/blob/master/CONTRIBUTING.md) to help facilitate pull requests. ๐Ÿ“‘ License ------- This software is licensed under the [MIT License](https://github.com/jas-/kruptein/blob/master/LICENSE). Copyright Jason Gerfen, 2019.