Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
standard-ecies
Advanced tools
Standard ECIES implemention for NodeJS based on crypto module with no other dependencies.
Standard ECIES (ecc encryption) implemention for NodeJS based on crypto
module with no other dependencies.
The implemention is followed by the description in https://en.wikipedia.org/wiki/Integrated_Encryption_Scheme .
Support all of curves listed in crypto.getCurves()
.
// option parameter is optional, all options are optional except iv,
// when symmetric cipher is not in ecb mode, iv option must be offered.
// default option
const options = {
hashName: 'sha256',
hashLength: 32,
macName: 'sha256',
macLength: 32,
curveName: 'secp256k1',
symmetricCypherName: 'aes-128-ecb',
iv: null,
// iv is used in symmetric cipher, set null if the cipher does not need an
// initialization vector (e.g. a cipher in ecb mode). Set undefined if you
// want to use deprecated createCipheriv / createDecipher / EVP_BytesToKey
keyFormat: 'uncompressed',
s1: null, // optional shared information1
s2: null // optional shared information2
}
const ecdh = crypto.createECDH(options.curveName);
ecdh.generateKeys();
const plainText = Buffer.from('hello world');
const encryptedText = ecies.encrypt(ecdh.getPublicKey(), plainText, options);
const decryptedText = ecies.decrypt(ecdh, encryptedText, options);
assert(plainText.toString('hex') == decryptedText.toString('hex'));
For the projects used this library with options.iv set to a valid iv buffer, no change is required to make compatible with 1.0.0. Other projects can set options.iv = undefined
to make compatible with an older version.
In the version 1.0.0, it is advised to use a null iv for ECB mode ciphers, which will use crypto.createCipher -> EVP_BytesToKey to derive a key. However, as noted in the latest manual of EVP_BytesToKey that "Newer applications should use a more modern algorithm such as PBKDF2 as defined in PKCS#5v2.1 and provided by PKCS5_PBKDF2_HMAC", crypto.createCipher is deprecated by nodejs. Therefore, to avoid this library to use deprecated nodejs API by default, the behavior of options.iv == null
now is to use crypto.createCipheriv with an empty iv to create the cipher which, however, is incompatible with the cipher created by crypto.createCipher.
FAQs
Standard ECIES implemention for NodeJS based on crypto module with no other dependencies.
The npm package standard-ecies receives a total of 8 weekly downloads. As such, standard-ecies popularity was classified as not popular.
We found that standard-ecies demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.