Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
node-scr
Advanced tools
Changelog
0.3.0 (2020-10-21)
node-jose
to latest (f3566a9af5cd92179503d357fa12ddf3ca6df22c)<a name="0.2.2"></a>
Readme
A JavaScript implementation of Secure Content Resource (SCR) for current web browsers and node.js-based servers. An SCR provides enough information to find and decrypt large protected content (e.g., shared file).
To install the latest from NPM:
npm install node-scr
Or to install a specific release:
npm install node-scr@0.2.0
Alternatively, the latest unpublished code can be installed directly from the repository:
npm install git+ssh://git@github.com:cisco/node-scr.git
Require the library as normal:
var SCR = require("node-scr");
This library uses Promises for most operations.
This library supports Browserify. To use in a web browser, require('node-scr')
and bundle with the rest of your app.
The content to be encrypted or returned from being decrypted are Buffer objects.
To create an empty SCR:
var scrObject;
SCR.create().
then(function(result) {
// {result} is a SRC object
scrObject = result;
});
The SCR object has the following properties:
SCR.create()
populates the cryptographic input factors (key, IV, additional authentication data).
The "loc" member is set by the API user, and the "tag" member is set by scrObject.encrypt()
.
To encrypt content:
// {input} is one of:
// - a node.js Buffer
// - an ArrayBuffer
// - a TypedArray
scrObject.encrypt(input).
then(function(output) {
// {output} is *just* the encrypted content, as a Buffer
// "tag" member of {scrObject} is populated with authentication tag
....
});
The result from encrypt()
's resolved Promise can be passed directly to a WebSocket, XMLHttpRequest, or other processor.
To decrypt content:
// *NOTE:* {scrObject} has the correct "tag" for the (encrypted) content
scrObject.decrypt(output).
then(function(input) {
// {input} is the decrypted content, as a Buffer
....
});
Encrypted JWEs are appropriate to be shared with recipients.
To export the SCR as a JWE:
var jwe;
// {key} is a JWK from 'node-jose', or the JSON representation of a JWK
scrObject.toJWE(key).
then(function(result) {
// {result} is a string representing the JWE using the Compact Serialization
jwe = result;
});
To import the SCR from a JWE:
var scrObject;
// {key} is a JWK from 'node-jose', or the JSON representation of a JWK
// {jwe} is a JWE using any of the serializations (Compact, JSON Flattened, JSON General)
SCR.fromJWE(key, jwe).
then(function(result) {
// {result} is a SCR object
scrObject = result;
});
NOTE: The JSON representation SHOULD NOT be shared outside of running code. It contains all the information necessary to decrypt content
An SCR has the following members (presented as JCR):
scr {
"enc" : string, ; Content Encryption Algorithm from [RFC7518]
"key" : string, ; base64url-encoded raw key value
"iv" : string, ; base64url-encoded initialization vector
"aad" : string, ; Additional authenticated data (AAD)
"loc" : ? uri, ; Location of encrypted content
"tag" : ? string ; base64url-encoded authentication tag
}
The "loc" and "tag" members are optional:
scrObject.encrypt()
A complete example of an SCR as JSON:
{
"enc": "A256GCM",
"key": "Ce3pe4stGd3tvZdSR3ekIoNjF3Q3V6R0oMN4SSGKbyI",
"iv": "AeU_KNtJ8dbl9k1N",
"aad": "2015-08-14T17:03:35.504Z",
"loc": "https://fireshare.example/files/db2daa25-cf41-492b-bc7b-90436949b17c",
"tag": "ZaRZ5vh1u7lyulUrvTKUDw"
}
To export an SCR to a JSON object:
var output = scrObject.toJSON();
To import an SCR from a JSON object:
var scrObject;
// {input} is a JSON representation
SCR.create(input).
then(function(result) {
scrObject = result;
});
FAQs
JavaScript library to work with Secure Content Resource (SCR) objects
The npm package node-scr receives a total of 6,641 weekly downloads. As such, node-scr popularity was classified as popular.
We found that node-scr demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.