Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is this project maintained? #435

Open
raxod502 opened this issue Nov 9, 2022 · 6 comments
Open

Is this project maintained? #435

raxod502 opened this issue Nov 9, 2022 · 6 comments

Comments

@raxod502
Copy link

raxod502 commented Nov 9, 2022

This project seems like a promising option for JavaScript cryptography; however, I notice that the latest release is from 4 years ago and the latest commit is from 3 years ago, and most recent issues on the tracker have received no comments.

Given how critical active maintenance is for security-sensitive projects (e.g. cryptographic libraries), is it safe to use this library in a production application?

@paulmillr
Copy link

No. It is also very slow.

@CashCode
Copy link

@paulmillr any alternatives for elGamal-ecc with high speed on js?

@paulmillr
Copy link

@CashCode for elgamal nothing i'm aware of; for ecc noble-curves

@ben-ekw
Copy link

ben-ekw commented May 23, 2023

How about a RequireJS-compatible alternative for AES and Base64? I like the simplicity of sjcl's encrypt/decrypt functions but there doesn't appear to be helper functions for Base64:

function encode(str) {
    // Base64 encode
    return sjcl.codec.base64.fromBits(sjcl.codec.utf8String.toBits(str));
  }

  function decode(str) {
    // Base64 decode
    return sjcl.codec.utf8String.fromBits(sjcl.codec.base64.toBits(str));
  }

@paulmillr
Copy link

no require.js, but

https://github.com/paulmillr/micro-aes-gcm
https://github.com/paulmillr/scure-base

import { base64 } from '@scure/base';
import * as aes from 'micro-aes-gcm';
const message = 'Hello world';
const ciphertext = await aes.encrypt(key, aes.utils.utf8ToBytes(message));
const plaintext = await aes.decrypt(key, ciphertext);
console.log(aes.utils.bytesToUtf8(plaintext) === message);
const encoded = base64.encode(ciphertext);
const decoded = base64.decode(encoded);

@ben-ekw
Copy link

ben-ekw commented May 23, 2023

Thanks @paulmillr! My use case involves NetSuite SuiteScript which sadly does not support require/import/module. For anyone in a similar rare situation, here's a recap of my research of popular crypto libraries in case it's helpful:

sjcl
works, but slow, not frequently updated, and has a recent security vulnerability: #438

crypto-js
Error: Native crypto module could not be used to get secure random number
(note: v3.1.9-1 [2017] was the last version that works with NetSuite)

aes-js
works, but the recommended CTR option has security risk and the CBC option requires fixed-byte length text; also requires a third-party PBKDF solution to generate the key.


No support for RequireJS/AMD/UMD

  • forge
  • aes-gcm
  • tweetnacl-js
  • scure-base
  • ursa
  • crypto-browserify
  • js-nacl
  • openpgp
  • browserid-crypto
  • webcryptobox
  • closure-library
  • libsodium
  • ironweb
  • themis
  • jsencrypt / jsbn

Obsolete/Archived projects:

  • cryptico
  • pidcrypt
  • jscrypto
  • cifre
  • polycrypt
  • foxycrypt
  • cryptojs
  • asmcrypto
  • clipperz
  • gostcrypto

Not considered: hashing-only libraries, like BCrypt, with no decrypt capability

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants