What are you actually trying to do? Implementing security isn't something to take lightly... Even if you think you're not protecting anything of great importance, your users often are. For instance, many users will (despite appeals to common sense) use the same password that they do for their bank account.
Don't write your own crypto. It is not a one-man job: crypto libraries like OpenSSL spend great amounts of time under peer review by large numbers of developers and experts (and that's still not good enough!). I've never seen a secure hand-built cryptographic protocol. And anything you build, if it ends up containing all the features necessary to be secure, is going to look suspiciously like TLS. Use TLS. Fork a call to OpenSSL to generate an X.509 certificate, and use the certificate fingerprint to identify it. Diffie-Hellman generates a shared secret over an interactive, authenticated channel. There's no good reason for anyone to use Diffie-Hellman directly. The only part of the 'crypto' module that anyone should be using is HMAC or PBKDF2... Everything else can be handled by TLS (for interactive communication) or PGP (for storing data securely... I don't know about Node.js support for PGP, but native support for it would be nice). And, in case anyone was thinking so, I would _NOT_ trust a JavaScript library to do this under _any_ circumstances. Finally, I'd seek out a security professional. If you feel the need to encrypt something (like in a database), there's probably larger issues to consider. On Saturday, August 31, 2013 4:01:00 AM UTC-7, [email protected] wrote: > > I want to encrypt a json object with a public key so I do not have to > worry about it being transported without ssl/tls. > As relaying on only one static key pair would be quite dangerous I wanted > to use "dynamic" key pairs (one key pair for each connection). > > I am not commong with Diffie-Hellman but it seems usable for this > situaiton. > > Is this correct or would you recommend to stick with using the OpenSSL > shell? > > Am Samstag, 31. August 2013 11:55:54 UTC+2 schrieb Ben Noordhuis: >> >> On Sat, Aug 31, 2013 at 11:02 AM, <[email protected]> wrote: >> > Hello, >> > >> > you all know OpenSSL key pairs used for SSL connections. >> > >> > I want to create one in node.js natively unfortunately I only found >> spawning >> > a child process which calls openssl from the command line can do this. >> > >> > Is this correct or is there also a native npm package which does this >> for >> > me? >> > >> > Best, >> > Bodo >> >> I don't know of any npm packages. If there are, they probably shell >> out to `openssl` because: >> >> a) there is no support in node.js core for generating private keys >> or certificates except for ephemeral Diffie-Hellman keys, and >> >> b) it's exceedingly difficult for native add-ons to link to the >> bundled copy of OpenSSL. We'll fix that - someday. >> > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
