Hi Austin, I want to encrypt a json document and send it through insecure channels (e.g. unencrypted email, untrusted messaging channels).
The json document itself is encrypted by "crypto.createCipher" and decrypted by "crypto.createDicipher". First I was some how stuck on using a private/public key for crypting the json document but actually this is unnecessary. Using one single shared key is enough and this could actually be generated by "crypto.randomBytes". I was just a bit confused to the different set of algorithms and approaches as I actually never worked with crypto stuff before. Are there still any issues with my current approach? Am 31.08.2013 um 14:10 schrieb Austin William Wright <[email protected]>: > What are you actually trying to do? > > Implementing security isn't something to take lightly... Even if you think > you're not protecting anything of great importance, your users often are. For > instance, many users will (despite appeals to common sense) use the same > password that they do for their bank account. > > Don't write your own crypto. It is not a one-man job: crypto libraries like > OpenSSL spend great amounts of time under peer review by large numbers of > developers and experts (and that's still not good enough!). I've never seen a > secure hand-built cryptographic protocol. And anything you build, if it ends > up containing all the features necessary to be secure, is going to look > suspiciously like TLS. > > Use TLS. Fork a call to OpenSSL to generate an X.509 certificate, and use the > certificate fingerprint to identify it. > > Diffie-Hellman generates a shared secret over an interactive, authenticated > channel. There's no good reason for anyone to use Diffie-Hellman directly. > The only part of the 'crypto' module that anyone should be using is HMAC or > PBKDF2... Everything else can be handled by TLS (for interactive > communication) or PGP (for storing data securely... I don't know about > Node.js support for PGP, but native support for it would be nice). > > And, in case anyone was thinking so, I would _NOT_ trust a JavaScript library > to do this under _any_ circumstances. > > Finally, I'd seek out a security professional. If you feel the need to > encrypt something (like in a database), there's probably larger issues to > consider. > > On Saturday, August 31, 2013 4:01:00 AM UTC-7, [email protected] wrote: > I want to encrypt a json object with a public key so I do not have to worry > about it being transported without ssl/tls. > As relaying on only one static key pair would be quite dangerous I wanted to > use "dynamic" key pairs (one key pair for each connection). > > I am not commong with Diffie-Hellman but it seems usable for this situaiton. > > Is this correct or would you recommend to stick with using the OpenSSL shell? > > Am Samstag, 31. August 2013 11:55:54 UTC+2 schrieb Ben Noordhuis: > On Sat, Aug 31, 2013 at 11:02 AM, <[email protected]> wrote: > > Hello, > > > > you all know OpenSSL key pairs used for SSL connections. > > > > I want to create one in node.js natively unfortunately I only found > > spawning > > a child process which calls openssl from the command line can do this. > > > > Is this correct or is there also a native npm package which does this for > > me? > > > > Best, > > Bodo > > I don't know of any npm packages. If there are, they probably shell > out to `openssl` because: > > a) there is no support in node.js core for generating private keys > or certificates except for ephemeral Diffie-Hellman keys, and > > b) it's exceedingly difficult for native add-ons to link to the > bundled copy of OpenSSL. We'll fix that - someday. > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to a topic in the Google > Groups "nodejs" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/nodejs/DtlsT0xMMHs/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
