Comparing version 1.5.3 to 1.6.0
{ | ||
"name": "scrypt", | ||
"description": "The scrypt crypto library for NodeJS", | ||
"version": "1.5.3", | ||
"version": "1.6.0", | ||
"keywords": [ | ||
@@ -6,0 +6,0 @@ "scrypt", |
#Scrypt For NodeJS | ||
node-scrypt is a native node C++ wrapper for Colin Percival's scrypt [key derivation](http://en.wikipedia.org/wiki/Key_derivation_function) utility. | ||
##Platforms Supported | ||
This module now supports all "unix" like platforms. It has been tested on **Linux**, **MAC OS** and **SmartOS**, but it is architectured in such a way that any unix type OS is supported. This includes FreeBSD, OpenBSD, SunOS etc. If there is an issue with a particular "unix" like OS, then make contact as it should be very easy to remedy. | ||
##What Is Scrypt? | ||
@@ -33,2 +36,29 @@ Scrypt is an advanced crypto library used mainly for [key derivation](http://en.wikipedia.org/wiki/Key_derivation_function) (i.e. password authenticator). More information can be found here: | ||
### The Scrypt Hash Format | ||
I have included this section because I keep being queried about the randomness of this module. First all, note that scrypt (and in general, all key derivation functions) store metadata in a header that cannot be encrypted in any way. For example, the random salt needs to be stored un-encrypted in the header. The header information not being encrypted does not mean that security is weakened. What is essential in terms of security is hash **integrity** (meaning that no part of the hashed output can be changed) and that the original password cannot be determined from the hashed output (this is why you are using Scrypt - because it does this in a good way). Scrypt uses a normal MAC to ensure integrity, but it derives it in a funky way based on its unique properties. | ||
Every Scrypt header starts with the word *"scrypt"*. The reason for this is that I am following Colin Percival's (Scrypt's author) reference implementation whereby he starts off each hash this way. Next comes information regarding how the hash will be constructed (see the three tweakable inputs below). Users of scrypt normally do not change this information once it is settled upon (hence this will also look the same for each hash). Once the hash has been produced, the result is base64 encoded to ensure maximum portability. | ||
Taking the above paragraph into account, note the following: The base64 encoding for the word *"scrypt"* is *c2NyeXB0*. So at the very least, every hash derived using this module should start with *c2NyeXB0*. Next comes metadata that normally does not change once settled upon (so it should also look the same). Only then does the random salt get added along with the derived hashed password. | ||
To illustrate with an example, I have hashed two password: *password1* and *password2*. Their outputs are as follows: | ||
password1 | ||
c2NyeXB0AAwAAAAIAAAAAcQ0zwp7QNLklxCn14vB75AYWDIrrT9I/7F9+lVGBfKN/1TH2hs | ||
/HboSy1ptzN0YzHJhC7PZIEPQzf2nuoaqVZg8VkKEJlo8/QaH7qjU2VwB | ||
password2 | ||
c2NyeXB0AAwAAAAIAAAAAZ/+bp8gWcTZgEC7YQZeLLyxFeKRRdDkwbaGeFC0NkdUr/YFAWY | ||
/UwdOH4i/PxW48fXeXBDOTvGWtS3lLUgzNM0PlJbXhMOGd2bke0PvTSnW | ||
As one can see from the above example, both hashes start off by looking similar (they both start with *c2NyeXB0AAwAAAAIAAAAA* - as explained above), but afterwards, things change very rapidly. In fact, I hashed the password *password1* again: | ||
password1 | ||
c2NyeXB0AAwAAAAIAAAAATpP+fdQAryDiRmCmcoOrZa2mZ049KdbA/ofTTrATQQ+m | ||
0L/gR811d0WQyip6p2skXVEMz2+8U+xGryFu2p0yzfCxYLUrAaIzaZELkN2M6k0 | ||
Compare this hash to the one above. Even though they start off looking similar, their outputs are vastly different (even though it is the same password being hashed). This is because of the **random** salt that has been added, ensuring that no two hashes will ever be indentical, even if the password that is being hashed is the same. | ||
For those that are curious or paranoid, please look at how the hash is both [produced](https://github.com/barrysteyn/node-scrypt/blob/master/src/passwordhash/scrypthash.c#L146-197) and [verified](https://github.com/barrysteyn/node-scrypt/blob/master/src/passwordhash/scrypthash.c#L199-238) (you are going to need some knowledge of the [C language](http://c.learncodethehardway.org/book/) for this). | ||
##Why Use Scrypt? | ||
@@ -89,10 +119,2 @@ It is probably the most advanced key derivation function available. This is is quote taken from a comment in hacker news: | ||
#Platforms | ||
This library works on the following platforms: | ||
* Linux | ||
* MAC OS | ||
Windows support is coming very soon. | ||
#Installation Instructions | ||
@@ -99,0 +121,0 @@ This library has been tested and works on Linux (Ubuntu to be exact) and Mac OS (thanks to [Kelvin Wong](https://github.com/kelvinwong-ca)). |
var test = require('tap').test; | ||
var scrypt = require('../build/Release/scrypt'); | ||
var password = "This is the test password"; | ||
var maxtime_passwordhash = 0.1; //interactive - 100 milliseconds | ||
var maxtime_crypto = 2.0; //A 2 second encryption time | ||
var maxtime_passwordhash = 0.05; | ||
var maxtime_crypto = 0.05; | ||
var message = "This is a message"; | ||
@@ -7,0 +7,0 @@ |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Copyleft License
License(Experimental) Copyleft license information was found.
Found 1 instance in 1 package
Mixed license
License(Experimental) Package contains multiple licenses.
Found 1 instance in 1 package
Non-permissive License
License(Experimental) A license not known to be considered permissive was found.
Found 1 instance in 1 package
Unidentified License
License(Experimental) Something that seems like a license was found, but its contents could not be matched with a known license.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
496205
46
343
4
70