Security News
How Threat Actors are Abusing GitHub’s File Upload Feature to Host Malware
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
evp_bytestokey
Advanced tools
Package description
The evp_bytestokey package is a utility for deriving a key and IV from a password, mimicking the OpenSSL EVP_BytesToKey method. It is commonly used in cryptographic operations where a secure key needs to be generated from a password for encryption or decryption purposes.
Key and IV Generation
This feature allows the generation of a key and IV (Initialization Vector) from a given password and salt. It is useful for cryptographic operations where a secure key is needed. The example demonstrates how to use the package to generate a 256-bit key and a 128-bit IV from a password and salt.
const evp_bytestokey = require('evp_bytestokey');
const password = 'secret password';
const salt = 'salt';
const keyIv = evp_bytestokey(password, salt, 32, 16);
console.log(keyIv.key); // Buffer containing the key
console.log(keyIv.iv); // Buffer containing the IV
The 'crypto' module is a built-in Node.js module that provides cryptographic functionality. It includes a wide range of cryptographic operations, including key generation, encryption, decryption, and hashing. While it does not directly mimic OpenSSL's EVP_BytesToKey, it offers the PBKDF2 function, which can be used for securely deriving keys from passwords. This makes it a more versatile option compared to evp_bytestokey, but requires more setup for similar tasks.
node-forge is a comprehensive Node.js module that includes a variety of cryptographic operations, including key generation, encryption, decryption, and certificate management. It offers more flexibility and a wider range of cryptographic tools compared to evp_bytestokey. While it does not directly implement EVP_BytesToKey, it provides similar functionality through its own APIs for password-based key derivation.
Readme
The insecure key derivation algorithm from OpenSSL.
WARNING: DO NOT USE, except for compatibility reasons.
MD5 is insecure.
Use at least scrypt
or pbkdf2-hmac-sha256
instead.
EVP_BytesToKey(password, salt, keyLen, ivLen)
password
- Buffer
, password used to derive the key data.salt
- 8 byte Buffer
or null
, salt is used as a salt in the derivation.keyBits
- number
, key length in bits.ivLen
- number
, iv length in bytes.Returns: { key: Buffer, iv: Buffer }
MD5 with aes-256-cbc
:
const crypto = require('crypto')
const EVP_BytesToKey = require('evp_bytestokey')
const result = EVP_BytesToKey(
'my-secret-password',
null,
32,
16
)
// =>
// { key: <Buffer e3 4f 96 f3 86 24 82 7c c2 5d ff 23 18 6f 77 72 54 45 7f 49 d4 be 4b dd 4f 6e 1b cc 92 a4 27 33>,
// iv: <Buffer 85 71 9a bf ae f4 1e 74 dd 46 b6 13 79 56 f5 5b> }
const cipher = crypto.createCipheriv('aes-256-cbc', result.key, result.iv)
FAQs
The insecure key derivation algorithm from OpenSSL
The npm package evp_bytestokey receives a total of 7,100,702 weekly downloads. As such, evp_bytestokey popularity was classified as popular.
We found that evp_bytestokey demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
Research
Security News
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.