scrypt - npm Package Compare versions

Comparing version 1.5.3 to 1.6.0

scrypt/configuration/posix_configuration/config.aux/depcomp

scrypt/configuration/posix_configuration/config.aux/install-sh

scrypt/configuration/posix_configuration/config.aux/missing

scrypt/configuration/posix_configuration/config.h.in

scrypt/configuration/posix_configuration/configure

scrypt/configuration/posix_configuration/Makefile.in

scrypt/configuration/posixconfig

package.json

		{
		"name": "scrypt",
		"description": "The scrypt crypto library for NodeJS",
		"version": "1.5.3",
		"version": "1.6.0",
		"keywords": [
		@@ -6,0 +6,0 @@ "scrypt",

Readme.md

		#Scrypt For NodeJS
		node-scrypt is a native node C++ wrapper for Colin Percival's scrypt [key derivation](http://en.wikipedia.org/wiki/Key_derivation_function) utility.

		##Platforms Supported
		This module now supports all "unix" like platforms. It has been tested on Linux, MAC OS and SmartOS, but it is architectured in such a way that any unix type OS is supported. This includes FreeBSD, OpenBSD, SunOS etc. If there is an issue with a particular "unix" like OS, then make contact as it should be very easy to remedy.

		##What Is Scrypt?
		@@ -33,2 +36,29 @@ Scrypt is an advanced crypto library used mainly for [key derivation](http://en.wikipedia.org/wiki/Key_derivation_function) (i.e. password authenticator). More information can be found here:

		### The Scrypt Hash Format
		I have included this section because I keep being queried about the randomness of this module. First all, note that scrypt (and in general, all key derivation functions) store metadata in a header that cannot be encrypted in any way. For example, the random salt needs to be stored un-encrypted in the header. The header information not being encrypted does not mean that security is weakened. What is essential in terms of security is hash integrity (meaning that no part of the hashed output can be changed) and that the original password cannot be determined from the hashed output (this is why you are using Scrypt - because it does this in a good way). Scrypt uses a normal MAC to ensure integrity, but it derives it in a funky way based on its unique properties.

		Every Scrypt header starts with the word "scrypt". The reason for this is that I am following Colin Percival's (Scrypt's author) reference implementation whereby he starts off each hash this way. Next comes information regarding how the hash will be constructed (see the three tweakable inputs below). Users of scrypt normally do not change this information once it is settled upon (hence this will also look the same for each hash). Once the hash has been produced, the result is base64 encoded to ensure maximum portability.

		Taking the above paragraph into account, note the following: The base64 encoding for the word "scrypt" is c2NyeXB0. So at the very least, every hash derived using this module should start with c2NyeXB0. Next comes metadata that normally does not change once settled upon (so it should also look the same). Only then does the random salt get added along with the derived hashed password.

		To illustrate with an example, I have hashed two password: password1 and password2. Their outputs are as follows:

		password1
		c2NyeXB0AAwAAAAIAAAAAcQ0zwp7QNLklxCn14vB75AYWDIrrT9I/7F9+lVGBfKN/1TH2hs
		/HboSy1ptzN0YzHJhC7PZIEPQzf2nuoaqVZg8VkKEJlo8/QaH7qjU2VwB

		password2
		c2NyeXB0AAwAAAAIAAAAAZ/+bp8gWcTZgEC7YQZeLLyxFeKRRdDkwbaGeFC0NkdUr/YFAWY
		/UwdOH4i/PxW48fXeXBDOTvGWtS3lLUgzNM0PlJbXhMOGd2bke0PvTSnW

		As one can see from the above example, both hashes start off by looking similar (they both start with c2NyeXB0AAwAAAAIAAAAA - as explained above), but afterwards, things change very rapidly. In fact, I hashed the password password1 again:

		password1
		c2NyeXB0AAwAAAAIAAAAATpP+fdQAryDiRmCmcoOrZa2mZ049KdbA/ofTTrATQQ+m
		0L/gR811d0WQyip6p2skXVEMz2+8U+xGryFu2p0yzfCxYLUrAaIzaZELkN2M6k0

		Compare this hash to the one above. Even though they start off looking similar, their outputs are vastly different (even though it is the same password being hashed). This is because of the random salt that has been added, ensuring that no two hashes will ever be indentical, even if the password that is being hashed is the same.

		For those that are curious or paranoid, please look at how the hash is both [produced](https://github.com/barrysteyn/node-scrypt/blob/master/src/passwordhash/scrypthash.c#L146-197) and [verified](https://github.com/barrysteyn/node-scrypt/blob/master/src/passwordhash/scrypthash.c#L199-238) (you are going to need some knowledge of the [C language](http://c.learncodethehardway.org/book/) for this).

		##Why Use Scrypt?
		@@ -89,10 +119,2 @@ It is probably the most advanced key derivation function available. This is is quote taken from a comment in hacker news:

		#Platforms
		This library works on the following platforms:

		* Linux
		* MAC OS

		Windows support is coming very soon.

		#Installation Instructions
		@@ -99,0 +121,0 @@ This library has been tested and works on Linux (Ubuntu to be exact) and Mac OS (thanks to [Kelvin Wong](https://github.com/kelvinwong-ca)).

tests/scrypt-tests.js

		var test = require('tap').test;
		var scrypt = require('../build/Release/scrypt');
		var password = "This is the test password";
		var maxtime_passwordhash = 0.1; //interactive - 100 milliseconds
		var maxtime_crypto = 2.0; //A 2 second encryption time
		var maxtime_passwordhash = 0.05;
		var maxtime_crypto = 0.05;
		var message = "This is a message";
		@@ -7,0 +7,0 @@

scrypt/linux/config.h

scrypt/mac/config.h

.npmignore

Sorry, the diff of this file is not supported yet

binding.gyp

Sorry, the diff of this file is not supported yet

scrypt - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics