Security News
PyPI Introduces Digital Attestations to Strengthen Python Package Security
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
ecies-geth
Advanced tools
JavaScript Elliptic Curve Integrated Encryption Scheme (ECIES) Library - Based off Geth's implementation
This is a JavaScript Elliptic Curve Integrated Encryption Scheme (ECIES) library for use in both Browser and NodeJS apps.
This module is a modified version of the eccrypto
JavaScript library.
It's also based off Geth's implementation (Ethereum's ecies
Go module).
We needed to have a JavaScript library fully compliant with the way the Go Ethereum ECIES module (ecies
) was implemented.
Parity has implemented ECIES encryption and decryption for arbitrary messages through its extended JSON RPC API and has started translating it into a JavaScript library (ecies-parity
). But issues remain in the latter and needed a pass to correct them.
As with eccrypto
, this library provides two implementations for Browser and NodeJS with the same API.
The ECIES implementation details mimic those introduced by both Geth and Parity, which are:
secp256k1
curve (to match common blockchain transaction signing);The ECIES implementation given here is solely based off Geth's and Parity's implementations. This module offers no guarantee as to the security or validity of the implementation. Furthermore, this project is being actively developed and as such should not be used for highly sensitive informations without further investigation on its robustness. Any feedback or concerns regarding its security would be greatly appreciated.
npm i ecies-geth
Although this module was primarily developed for ECIES encryption/decryption, extra elliptic curve functionalities are provided.
const crypto = require('crypto');
const ecies = require('ecies-geth');
const privateKeyA = crypto.randomBytes(32);
const publicKeyA = await ecies.getPublic(privateKeyA);
const privateKeyB = crypto.randomBytes(32);
const publicKeyB = await ecies.getPublic(privateKeyB);
// Encrypting the message for B.
ecies.encrypt(publicKeyB, Buffer.from('msg to b')).then(function(encrypted) {
// B decrypting the message.
ecies.decrypt(privateKeyB, encrypted).then(function(plaintext) {
console.log('Message to part B', plaintext.toString());
});
});
// Encrypting the message for A.
ecies.encrypt(publicKeyA, Buffer.from('msg to a')).then(function(encrypted) {
// A decrypting the message.
ecies.decrypt(privateKeyA, encrypted).then(function(plaintext) {
console.log('Message to part A', plaintext.toString());
});
});
const crypto = require('crypto');
const ecies = require('ecies-geth');
// A new random 32-byte private key.
const privateKey = crypto.randomBytes(32)
// Corresponding uncompressed (65-byte) public key.
const publicKey = await ecies.getPublic(privateKey);
const str = 'message to sign';
// Always hash your message to sign!
const msg = crypto.createHash('sha256').update(str).digest();
ecies.sign(privateKey, msg).then(function(sig) {
console.log('Signature in DER format:', sig);
ecies.verify(publicKey, msg, sig).then(function() {
console.log('Signature is OK');
}).catch(function() {
console.log('Signature is BAD');
});
})
const crypto = require('crypto');
const ecies = require('ecies-geth');
const privateKeyA = crypto.randomBytes(32);
const publicKeyA = await ecies.getPublic(privateKeyA);
const privateKeyB = crypto.randomBytes(32);
const publicKeyB = await ecies.getPublic(privateKeyB);
ecies.derive(privateKeyA, publicKeyB).then(function(sharedKey1) {
ecies.derive(privateKeyB, publicKeyA).then(function(sharedKey2) {
console.log('Both shared keys are equal', sharedKey1, sharedKey2);
})
})
This library relies on the following dependencies:
To run the tests, you would need to install live-server
:
npm i -g live-server
Thanks to @Methrat0n for the initial work on this adaptation.
This module is distributed under a MIT license.
See the LICENSE file.
1.7.0 (2023-11-05)
Features:
Remove dependency to (vulnerable) live-server
only used for testing purpose;
Breaking change: Messages encrypted with ecies-geth
could not be decrypted using go-ethereum
due to an ecies: invalid message error
. Upon analysis of the source code, a nuanced discrepancy was identified. Specifically, the issue lay in the padding of the shared key: go-ethereum
pads the shared key with zeros when it's less than 32 bytes, a behavior not mirrored in ecies-geth
. Follow the links for specific lines in the sources:
https://github.com/ethereum/go-ethereum/blob/master/crypto/ecies/ecies.go#L134-L136 https://github.com/cyrildever/ecies-geth/blob/master/lib/src/typescript/node.ts#L171
IMPORTANT: This fix introduces a breaking change. Messages encrypted by the older version of this library might not be decryptable after the update, and vice versa. Users will need to be aware of this incompatibility when considering an upgrade.
FAQs
JavaScript Elliptic Curve Integrated Encryption Scheme (ECIES) Library - Based off Geth's implementation
The npm package ecies-geth receives a total of 175 weekly downloads. As such, ecies-geth popularity was classified as not popular.
We found that ecies-geth demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.