		#Scrypt For NodeJS
		node-scrypt is a native node C++ wrapper for Colin Percival's scrypt [key derivation](http://en.wikipedia.org/wiki/Key_derivation_function) utility.
		node-scrypt is a native node C++ wrapper for Colin Percival's Scrypt [key derivation](http://en.wikipedia.org/wiki/Key_derivation_function) utility. In short, it is a NodeJS module for what is arguably the most advanced password hash in existence.

		##Platforms Supported
		This module now supports all "unix" like platforms. It has been tested on Linux, MAC OS and SmartOS, but it is architectured in such a way that any unix type OS is supported. This includes FreeBSD, OpenBSD, SunOS etc. If there is an issue with a particular "unix" like OS, then make contact as it should be very easy to remedy.
		For Scrypt to work at its best, it needs to have its configuration file custom built for each platform it is installed on. Scrypt's author made Scrypt as a C program. The user of this C program is expected to run a specialised configuration script which will automatically determines the best and most secure way Scrypt can be compiled on that platform. In the past, the output of this configuration script run on a Linux box was used wih this module, with other platforms (notably Mac OS) being specially customised.

		As of version 1.6.2, this configuration is run automatically before each compile, meaning that this NodeJS Scrypt module will be perfectly tuned to the target operating system. But this is only available for Unix like platforms (Windows support coming soon). It has been tested on Linux, MAC OS and SmartOS (so its ready for Joyent Cloud), but it should workd on any unix type OS. This includes FreeBSD, OpenBSD, SunOS etc. If there is an issue with a particular "unix" like OS, then make contact as it should be very easy to remedy.

		##What Is Scrypt?
		Scrypt is an advanced crypto library used mainly for [key derivation](http://en.wikipedia.org/wiki/Key_derivation_function) (i.e. password authenticator). More information can be found here:

		* [Tarsnap blurb about scrypt](http://www.tarsnap.com/scrypt.html) - Colin Percival (the author of scrypt) explains a bit about it.
		* [Academic paper explaining scrypt](http://www.tarsnap.com/scrypt/scrypt.pdf).
		* [Wikipedia Article on scrypt](http://en.wikipedia.org/wiki/Scrypt).
		* [Tarsnap blurb about Scrypt](http://www.tarsnap.com/scrypt.html) - Colin Percival (the author of Scrypt) explains a bit about it.
		* [Academic paper explaining Scrypt](http://www.tarsnap.com/scrypt/scrypt.pdf).
		* [Wikipedia Article on Scrypt](http://en.wikipedia.org/wiki/Scrypt).

		For additional interest, read the article on wikipedias about the [key derivation function](http://en.wikipedia.org/wiki/Key_derivation_function).
		For additional interest, read the article on Wikipedia about the [key derivation function](http://en.wikipedia.org/wiki/Key_derivation_function).

		@@ -23,3 +25,3 @@ ###The Three Essential Properties Of Password Key Derivation

		This scrypt library automatically handles the above properties. The last item seems strange: Computer scientists are normally pre-occupied with making things fast. Yet it is this property that sets Scrypt apart from the competition. As computers evolve and get more powerful, they are able to attack this property more efficiently. This has become especially apparent with the rise of parallel programming. Scrypt aims to defend against all types of attacks, not matter the attackers power now or in the future.
		This Scrypt library automatically handles the above properties. The last item seems strange: Computer scientists are normally pre-occupied with making things fast. Yet it is this property that sets Scrypt apart from the competition. As computers evolve and get more powerful, they are able to attack this property more efficiently. This has become especially apparent with the rise of parallel programming. Scrypt aims to defend against all types of attacks, not matter the attackers power now or in the future.

		@@ -35,10 +37,10 @@ ### What This Module Provides

		I suspect scrypt will be used mainly as a password key derivation function (its author's intended use), but I have also ported the scrypt encryption and decryption functions as implementations for them were available from the author. Performing scrypt cryptography is done if you value security over speed. Scrypt is more secure than a vanilla block cipher (e.g. AES) but it is much slower. It is also the basis for the key derivation functions.
		I suspect Scrypt will be used mainly as a password key derivation function (its author's intended use), but I have also ported the Scrypt encryption and decryption functions as implementations for them were available from the author. Performing Scrypt cryptography is done if you value security over speed. Scrypt is more secure than a vanilla block cipher (e.g. AES) but it is much slower. It is also the basis for the key derivation functions.

		### The Scrypt Hash Format
		I have included this section because I keep being queried about the randomness of this module. First all, note that scrypt (and in general, all key derivation functions) store metadata in a header that cannot be encrypted in any way. For example, the random salt needs to be stored un-encrypted in the header. The header information not being encrypted does not mean that security is weakened. What is essential in terms of security is hash integrity (meaning that no part of the hashed output can be changed) and that the original password cannot be determined from the hashed output (this is why you are using Scrypt - because it does this in a good way). Scrypt uses a normal MAC to ensure integrity, but it derives it in a funky way based on its unique properties.
		I have included this section because I keep being queried about the randomness of this module. Scrypt (and in general, all key derivation functions) store metadata in the header which cannot be encrypted. For example, the random salt needs to be stored un-encrypted in the header. The header information not being encrypted does not mean that security is weakened. What is essential in terms of security is hash integrity (meaning that no part of the hashed output can be changed) and that the original password cannot be determined from the hashed output (this is why you are using Scrypt - because it does this in a good way). Scrypt uses a normal MAC to ensure integrity, but it derives it in a funky way based on its unique properties.

		Every Scrypt header starts with the word "scrypt". The reason for this is that I am following Colin Percival's (Scrypt's author) reference implementation whereby he starts off each hash this way. Next comes information regarding how the hash will be constructed (see the three tweakable inputs below). Users of scrypt normally do not change this information once it is settled upon (hence this will also look the same for each hash). Once the hash has been produced, the result is base64 encoded to ensure maximum portability.
		Every Scrypt header starts with the word "Scrypt". The reason for this is that I am following Colin Percival's (Scrypt's author) reference implementation whereby he starts off each hash this way. Next comes information regarding how the hash will be constructed (see the three tweakable inputs below). Users of Scrypt normally do not change this information once it is settled upon (hence this will also look the same for each hash). Once the hash has been produced, the result is base64 encoded to ensure maximum portability.

		Taking the above paragraph into account, note the following: The base64 encoding for the word "scrypt" is c2NyeXB0. So at the very least, every hash derived using this module should start with c2NyeXB0. Next comes metadata that normally does not change once settled upon (so it should also look the same). Only then does the random salt get added along with the derived hashed password.
		Taking the above paragraph into account, note the following: The base64 encoding for the word "Scrypt" is c2NyeXB0. So at the very least, every hash derived using this module should start with c2NyeXB0. Next comes metadata that normally does not change once settled upon (so it should also look the same). Only then does the random salt get added along with the derived hashed password.

		@@ -70,3 +72,3 @@ To illustrate with an example, I have hashed two password: password1 and password2. Their outputs are as follows:

		The three tweakable inputs mentioned above are as follows (Quoting from the author):
		The three tweakable inputs mentioned above are as follows (quoting from Scrypt's author Colin Percival):

		@@ -96,3 +98,3 @@ maxtime

		Values for maxtime, maxmemfrac and maxmem are translated into the above values, which are then fed to the scrypt function. The translation function also takes into account the CPU and Memory capabilities of a machine. Therefore values of N, r and p may differ for different machines that have different specs.
		Values for maxtime, maxmemfrac and maxmem are translated into the above values, which are then fed to the Scrypt function. The translation function also takes into account the CPU and Memory capabilities of a machine. Therefore values of N, r and p may differ for different machines that have different specs.

		@@ -104,3 +106,3 @@ ## Pros And Cons

		* The scrypt algorithm has been published by [IETF](http://en.wikipedia.org/wiki/IETF) as an [Internet Draft](http://en.wikipedia.org/wiki/Internet_Draft) and is thus on track to becoming a standard. See [here](https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-00) for the draft.
		* The Scrypt algorithm has been published by [IETF](http://en.wikipedia.org/wiki/IETF) as an [Internet Draft](http://en.wikipedia.org/wiki/Internet_Draft) and is thus on track to becoming a standard. See [here](https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-00) for the draft.
		* It is being actively used in production at [Tarsnap](http://www.tarsnap.com/).
		@@ -111,5 +113,5 @@ * It is much more secure than bcrypt.
		* It is production ready.
		* There is a scrypt library for most major scripting languages (Python, Ruby etc). Now this module provides the library for NodeJS :)
		* There is a Scrypt library for most major scripting languages (Python, Ruby etc). Now this module provides the library for NodeJS :)

		I will end this section with a quote from Colin Percival (author of scrypt):
		I will end this section with a quote from Colin Percival (author of Scrypt):

		@@ -124,4 +126,3 @@ > We estimate that on modern (2009) hardware, if 5 seconds are spent computing a derived key, the cost of a hardware brute-force attack against scrypt is roughly 4000 times greater than the cost of a similar attack against bcrypt (to find the same password), and 20000 times greater than a similar attack against PBKDF2.

		#Installation Instructions
		This library has been tested and works on Linux (Ubuntu to be exact) and Mac OS (thanks to [Kelvin Wong](https://github.com/kelvinwong-ca)).
		#Installation Instruction
		##From NPM
		@@ -141,3 +142,3 @@
		##If installed via NPM
		To test, go to the folder where scrypt was installed, and type:
		To test, go to the folder where Scrypt was installed, and type:

		@@ -149,3 +150,3 @@ cd node_modules/scrypt
		##If installed via source
		Go to the folder where scrypt was installed and type:
		Go to the folder where Scrypt was installed and type:

		@@ -157,3 +158,3 @@ cd node-scrypt
		#Hash Info
		All scrypt output is encoded into Base64 using [René Nyffenegger](http://www.adp-gmbh.ch/) [library](http://www.adp-gmbh.ch/cpp/common/base64.html). The character sets that compromises all output are `ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/`.
		All Scrypt output is encoded into Base64 using [René Nyffenegger](http://www.adp-gmbh.ch/) [library](http://www.adp-gmbh.ch/cpp/common/base64.html). The character sets that compromises all output are `ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/`.

		@@ -293,5 +294,5 @@ #Usage
		* `password` - [REQUIRED] - a password string.
		* `maxtime` - [REQUIRED] - a decimal (double) representing the maxtime in seconds for running scrypt. Use 0.1 (100 milliseconds) for interactive logins.
		* `maxmem` - [OPTIONAL] - instructs scrypt to use the specified number of bytes of RAM (default 0).
		* `maxmemfrac` - [OPTIONAL] - instructs scrypt to use the specified fracion of RAM (defaults 0.5).
		* `maxtime` - [REQUIRED] - a decimal (double) representing the maxtime in seconds for running Scrypt. Use 0.1 (100 milliseconds) for interactive logins.
		* `maxmem` - [OPTIONAL] - instructs Scrypt to use the specified number of bytes of RAM (default 0).
		* `maxmemfrac` - [OPTIONAL] - instructs Scrypt to use the specified fracion of RAM (defaults 0.5).
		* `callback_function` - [REQUIRED] - a callback function that will handle processing when result is ready.
		@@ -306,5 +307,5 @@ * `verifyHash(hash, password, callback_function)`
		* `password` - [REQUIRED] - a password string.
		* `maxtime` - [REQUIRED] - a decimal (double) representing the maxtime in seconds for running scrypt. Use 0.1 (100 milliseconds) for interactive logins.
		* `maxmem` - [OPTIONAL] - instructs scrypt to use the specified number of bytes of RAM (default 0).
		* `maxmemfrac` - [OPTIONAL] - instructs scrypt to use the specified fracion of RAM (defaults 0.5).
		* `maxtime` - [REQUIRED] - a decimal (double) representing the maxtime in seconds for running Scrypt. Use 0.1 (100 milliseconds) for interactive logins.
		* `maxmem` - [OPTIONAL] - instructs Scrypt to use the specified number of bytes of RAM (default 0).
		* `maxmemfrac` - [OPTIONAL] - instructs Scrypt to use the specified fracion of RAM (defaults 0.5).
		* `verifyHashSync(hash, password)`
		@@ -320,5 +321,5 @@ * `hash` - [REQUIRED] - the password created with the above `passwordHash` function.
		* `password` - [REQUIRED] - a password string.
		* `maxtime` - [REQUIRED] - a decimal (double) representing the maxtime in seconds for running scrypt.
		* `maxmem` - [OPTIONAL] - instructs scrypt to use the specified number of bytes of RAM (default 0).
		* `maxmemfrac` - [OPTIONAL] - instructs scrypt to use the specified fracion of RAM (defaults 0.5).
		* `maxtime` - [REQUIRED] - a decimal (double) representing the maxtime in seconds for running Scrypt.
		* `maxmem` - [OPTIONAL] - instructs Scrypt to use the specified number of bytes of RAM (default 0).
		* `maxmemfrac` - [OPTIONAL] - instructs Scrypt to use the specified fracion of RAM (defaults 0.5).
		* `callback_function` - [REQUIRED] - a callback function that will handle processing when result is ready.
		@@ -328,5 +329,5 @@ * `decrypt(cipher, password, maxtime, maxmem, maxmemfrac, callback_function)`
		* `password` - [REQUIRED] - a password string.
		* `maxtime` - [REQUIRED] - a decimal (double) representing the maxtime in seconds for running scrypt.
		* `maxmem` - [OPTIONAL] - instructs scrypt to use the specified number of bytes of RAM (default 0).
		* `maxmemfrac` - [OPTIONAL] - instructs scrypt to use the specified fracion of RAM (defaults 0.5).
		* `maxtime` - [REQUIRED] - a decimal (double) representing the maxtime in seconds for running Scrypt.
		* `maxmem` - [OPTIONAL] - instructs Scrypt to use the specified number of bytes of RAM (default 0).
		* `maxmemfrac` - [OPTIONAL] - instructs Scrypt to use the specified fracion of RAM (defaults 0.5).
		* `callback_function` - [REQUIRED] - a callback function that will handle processing when result is ready.
		@@ -338,16 +339,16 @@
		* `password` - [REQUIRED] - a password string.
		* `maxtime` - [REQUIRED] - a decimal (double) representing the maxtime in seconds for running scrypt.
		* `maxmem` - [OPTIONAL] - instructs scrypt to use the specified number of bytes of RAM (default 0).
		* `maxmemfrac` - [OPTIONAL] - instructs scrypt to use the specified fracion of RAM (defaults 0.5).
		* `maxtime` - [REQUIRED] - a decimal (double) representing the maxtime in seconds for running Scrypt.
		* `maxmem` - [OPTIONAL] - instructs Scrypt to use the specified number of bytes of RAM (default 0).
		* `maxmemfrac` - [OPTIONAL] - instructs Scrypt to use the specified fracion of RAM (defaults 0.5).
		* `decryptSync(cipher, password, maxtime, maxmem, maxmemfrac)`
		* `cipher` - [REQUIRED] - the cipher to be decrypted.
		* `password` - [REQUIRED] - a password string.
		* `maxtime` - [REQUIRED] - a decimal (double) representing the maxtime in seconds for running scrypt.
		* `maxmem` - [OPTIONAL] - instructs scrypt to use the specified number of bytes of RAM (default 0).
		* `maxmemfrac` - [OPTIONAL] - instructs scrypt to use the specified fracion of RAM (defaults 0.5).
		* `maxtime` - [REQUIRED] - a decimal (double) representing the maxtime in seconds for running Scrypt.
		* `maxmem` - [OPTIONAL] - instructs Scrypt to use the specified number of bytes of RAM (default 0).
		* `maxmemfrac` - [OPTIONAL] - instructs Scrypt to use the specified fracion of RAM (defaults 0.5).

		#Credits
		The scrypt library is Colin Percival's [scrypt](http://www.tarsnap.com/scrypt.html) project. This includes the encryption/decryption functions which are basically just wrappers into this library.
		The Scrypt library is Colin Percival's [Scrypt](http://www.tarsnap.com/scrypt.html) project. This includes the encryption/decryption functions which are basically just wrappers into this library.

		The password hash and verify functions are also very heavily influenced by the scrypt source code, with most functionality being copied from various placed within scrypt.
		The password hash and verify functions are also very heavily influenced by the Scrypt source code, with most functionality being copied from various placed within Scrypt.

		@@ -354,0 +355,0 @@ #Contributors

scrypt - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics