Security News
How Threat Actors are Abusing GitHub’s File Upload Feature to Host Malware
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
By Sarah Gooding - Apr 23, 2024
evp_bytestokey
Advanced tools
- Version published
- Weekly downloads
- 8.8M
- increased by2.73%
- Maintainers
- 2
- Install size
- 200 kB
- Created
- Weekly downloads
Package description
What is evp_bytestokey?
The evp_bytestokey package is a utility for deriving a key and IV from a password, mimicking the OpenSSL EVP_BytesToKey method. It is commonly used in cryptographic operations where a secure key needs to be generated from a password for encryption or decryption purposes.
What are evp_bytestokey's main functionalities?
Key and IV Generation
This feature allows the generation of a key and IV (Initialization Vector) from a given password and salt. It is useful for cryptographic operations where a secure key is needed. The example demonstrates how to use the package to generate a 256-bit key and a 128-bit IV from a password and salt.
const evp_bytestokey = require('evp_bytestokey');
const password = 'secret password';
const salt = 'salt';
const keyIv = evp_bytestokey(password, salt, 32, 16);
console.log(keyIv.key); // Buffer containing the key
console.log(keyIv.iv); // Buffer containing the IVOther packages similar to evp_bytestokey
crypto
The 'crypto' module is a built-in Node.js module that provides cryptographic functionality. It includes a wide range of cryptographic operations, including key generation, encryption, decryption, and hashing. While it does not directly mimic OpenSSL's EVP_BytesToKey, it offers the PBKDF2 function, which can be used for securely deriving keys from passwords. This makes it a more versatile option compared to evp_bytestokey, but requires more setup for similar tasks.
node-forge
node-forge is a comprehensive Node.js module that includes a variety of cryptographic operations, including key generation, encryption, decryption, and certificate management. It offers more flexibility and a wider range of cryptographic tools compared to evp_bytestokey. While it does not directly implement EVP_BytesToKey, it provides similar functionality through its own APIs for password-based key derivation.
Readme
EVP_BytesToKey
The insecure key derivation algorithm from OpenSSL.
WARNING: DO NOT USE, except for compatibility reasons.
MD5 is insecure.
Use at least scrypt or pbkdf2-hmac-sha256 instead.
API
EVP_BytesToKey(password, salt, keyLen, ivLen)
password-Buffer, password used to derive the key data.salt- 8 byteBufferornull, salt is used as a salt in the derivation.keyBits-number, key length in bits.ivLen-number, iv length in bytes.
Returns: { key: Buffer, iv: Buffer }
Examples
MD5 with aes-256-cbc:
const crypto = require('crypto')
const EVP_BytesToKey = require('evp_bytestokey')
const result = EVP_BytesToKey(
'my-secret-password',
null,
32,
16
)
// =>
// { key: <Buffer e3 4f 96 f3 86 24 82 7c c2 5d ff 23 18 6f 77 72 54 45 7f 49 d4 be 4b dd 4f 6e 1b cc 92 a4 27 33>,
// iv: <Buffer 85 71 9a bf ae f4 1e 74 dd 46 b6 13 79 56 f5 5b> }
const cipher = crypto.createCipheriv('aes-256-cbc', result.key, result.iv)
LICENSE MIT
FAQs
The insecure key derivation algorithm from OpenSSL
The npm package evp_bytestokey receives a total of 7,100,702 weekly downloads. As such, evp_bytestokey popularity was classified as popular.
We found that evp_bytestokey demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Last updated on 05 Sep 2017
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
The Dark Side of Open Source
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
By Sarah Gooding - Apr 19, 2024
Research
Security News
npm Package for ReExt React Components Library Exfiltrates Git Credentials
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.
By Sarah Gooding, Socket Research Team - Apr 18, 2024