Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
argon2-browser
Advanced tools
Argon2 is a password-hashing function, the winner of Password Hashing Competition. Here, Argon2 library is compiled for browser runtime.
To cut it short, here are the numbers.
Code run time:
Init time + first run time:
Load | First Use | Second Use | |
---|---|---|---|
Native -O3 SSE | 0 | 90 | 90 |
Native -O3 | 0 | 140 | 140 |
Native -O1 | 0 | 300 | 300 |
Native -O0 | 0 | 750 | 750 |
Chrome asm.js | 100 | 7500 | 6800 |
Chrome WASM | 350 | 1700 | 1650 |
Chrome PNaCl | 1500 | 200 | 200 |
Chrome Interpret s-expr | 1000 | 1650000 | 1650000 |
Chrome Interpret binary | 800 | 1800000 | 1800000 |
Firefox asm.js | 360 | 1850 | 1700 |
Firefox WASM | 400 | 1750 | 1650 |
Safari asm.js | 100 | 7500 | 6900 |
IE11 asm.js | 100 | 52000 | 47000 |
Edge asm.js | 65 | 19500 | 18000 |
Edge +asm asm.js | 100 | 2900 | 2850 |
Environment used to get the numbers above:
Algorithm parameters (-d -t 100 -m 10 -p 1
):
Environment:
It's hard to measure WebAssembly code size because the project is not finished yet and the size of wrapper is rather large. So, we measure only binary file size (.wasm).
Code size, kB | Comment | |
---|---|---|
asm.js | 109 | complete |
WebAssembly | 43 | only .wasm |
PNaCl | 112 | .pexe |
The only change is disabling threading support.
Argon2 is using uint64, which is not supported by JavaScript. This function is called ~30M times per one iteration:
uint64_t fBlaMka(uint64_t x, uint64_t y) {
const uint64_t m = UINT64_C(0xFFFFFFFF);
const uint64_t xy = (x & m) * (y & m);
return x + y + 2 * xy;
}
And this one:
uint64_t rotr64(const uint64_t w, const unsigned c) {
return (w >> c) | (w << (64 - c));
}
In C++, we can make use of SSE for 64-bit arithmetics. In JavaScript, when no 64-bit unsigned long type is available, different engines have different time penalties of this operation.
WASM can support 64-bit integers but it requires compilation with LLVM, and not as asm.js => wasm. But this build is producing bad wasm for now. A simple experiment can be found in perf-test.c: compiling it with i64 support in LLVM gives us 4x boost.
Until WASM is mature, js library is using only asm.js. Here's how to try it.
Install with npm:
npm install argon2-browser
Add script to your HTML:
<script src="node_modules/argon2-browser/lib/argon2.js"></script>
Calculate the hash:
argon2.hash({ pass: 'password', salt: 'somesalt' })
.then(h => console.log(h.hash, h.hashHex, h.encoded))
.catch(e => console.error(e.message, e.code))
Verify the encoded hash (if you need it):
argon2.verify({ pass: 'password', encoded: 'enc-hash' })
.then(() => console.log('OK'))
.catch(e => console.error(e.message, e.code))
Bring your own bundler and promise polyfill.
Other parameters:
argon2.hash({
// required
pass: 'password',
salt: 'salt',
// optional
time: 1, // the number of iterations
mem: 1024, // used memory, in KiB
hashLen: 24, // desired hash length
parallelism: 1, // desired parallelism (will be computed in parallel only for PNaCl)
type: argon2.ArgonType.Argon2d, // or argon2.ArgonType.Argon2i
distPath: '' // asm.js script location, without trailing slash
})
// result
.then(res => {
res.hash // hash as Uint8Array
res.hashHex // hash as hex-string
res.encoded // encoded hash, as required by argon2
})
// or error
.catch(err => {
err.message // error message as string, if available
err.code // numeric error code
})
Of course, you can use generated asm.js code in node.js but it's not sensible: you will get much better speed by compiling native node.js addon, which is not that hard. Wait, it's already done, just install this package.
It is! KeeWeb (web-based password manager) is using both asm.js and WebAssembly Argon2 implementations. Check out the source code, if you're interested.
You can build everything with
./build.sh
Prerequesties:
FAQs
Argon2 library compiled for browser runtime
The npm package argon2-browser receives a total of 3,276 weekly downloads. As such, argon2-browser popularity was classified as popular.
We found that argon2-browser demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.