Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@elastic/request-crypto
Advanced tools
JWK+JWE with AES Encryption for Request Encrypt/decrypt
There are 3 parts involved for JWK encryption:
JWK are a way to pass public/private keys (RSA) in JSON format.
With RSA, the data to be encrypted is first mapped on to an integer. For RSA to work, this integer must be smaller than the RSA modulus used. In other words, public key cannot be used to encrypt large payloads.
The way to solve this is to encrypt the payload with a strong AES key, then encrypt the AES key with the public key, and send that key along with the request.
RSA is almost never used for data encryption. The approach we've taken here is the common one (TLS, PGP etc do the same in principle) where a symmetric key is used for data encryption and that key is then encrypted with RSA. Size is one constraint, the other is performance as RSA is painfully slow compared to a symmetric key cipher such as AES.
Request crypto has two main servicers Encryptor
and Decryptor
.
Encryptor
is used by the sending side. while Decryptor
is used by the recieving side.
import { createRequestEncryptor } from '@elastic/request-crypto';
import * as fs from 'fs';
function TelemetryEndpointRoute(req, res) {
const metrics = await getCollectors();
const publicEncryptionKey = await fs.readAsync('...', 'utf8');
const requestEncryptor = await createRequestEncryptor(publicEncryptionKey);
const version = getKibanaVersion();
try {
const encryptedPayload = await requestEncryptor.encrypt(`kibana_${version}`, metrics);
res.end(encryptedPayload);
} catch(err) {
res.status(500).end(`Error: ${err}`);
}
}
async function getTelemetryMetrics() {
return fetch(server.telemetryEndpoint);
}
async function sendTelemetryMetrics() {
const metrics = await getTelemetryMetrics();
return fetch('https://telemetry.elastic.co/v2/xpack', {
method: 'POST',
body: metrics
});
}
import { createRequestDecryptor } from '@elastic/request-crypto';
import privateJWKS from './privateJWKS';
async function handler (event, context, callback) {
const requestDecryptor = await createRequestDecryptor(privateJWKS);
const decryptedPayload = await requestDecryptor.decryptPayload(event.body);
// ... handle payload
}
Json Web Key Sets are to store multiple JWK.
Having keys per use case will reduce the surface of damage in case a key compromise happens.
import { createJWKManager } from '@elastic/request-crypto';
const jwksManager = await createJWKManager();
await jwksManager.addKey(`<kid>`);
import { createJWKManager } from '@elastic/request-crypto';
const existingJWKS = `<fetched from fs>`
const jwksManager = await createJWKManager(existingJWKS);
// get public key components
jwksManager.getPublicJWKS();
// get full Key pairs Inlcuding private components
jwksManager.getPrivateJWKS();
The method getJWKMetadata
returns the metadata of the JWK used to encrypt the request body.
The metadata is an object including the following:
key
: JWK details (kid
, length
, kty
, use
, alg
)protected
an array of the member names from the "protected" member.header
: an object of "protected" member key values.import { createRequestDecryptor } from '@elastic/request-crypto';
import privateJWKS from './privateJWKS';
async function handler (event, context, callback) {
const requestDecryptor = await createRequestDecryptor(privateJWKS);
const jwkMetadata = await requestDecryptor.getJWKMetadata(event.body);
// ... use metadata
}
If the key is not in the provided JWKS the function will throw an error Error: no key found
.
FAQs
Request Cryptography
The npm package @elastic/request-crypto receives a total of 11,249 weekly downloads. As such, @elastic/request-crypto popularity was classified as popular.
We found that @elastic/request-crypto demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.