Code Monkey home page Code Monkey logo

arc4's Introduction

arc4

NPM version Linux Status Windows Status Dependency Status Coveralls

RC4 stream cipher. You can select from ["arc4", "rc4a", "vmpc", "rc4+"] algorithm

Encode/decode with different encodings for *String only, from nodejs doc:

  • 'ascii' - for 7 bit ASCII data only. This encoding method is very fast, and will strip the high bit if set.
  • 'utf8' - Multibyte encoded Unicode characters. Many web pages and other document formats use UTF-8.
  • 'utf16le' - 2 or 4 bytes, little endian encoded Unicode characters. Surrogate pairs (U+10000 to U+10FFFF) are supported.
  • 'ucs2' - Alias of 'utf16le'.
  • 'base64' - Base64 string encoding.
  • 'binary' - A way of encoding raw binary data into strings by using only the first 8 bits of each character. This encoding method is deprecated and should be avoided in favor of Buffer objects where possible. This encoding will be removed in future versions of Node.
  • 'hex' - Encode each byte as two hexadecimal characters.

My original python code

Installation

Install through NPM

npm install arc4

or

git clone git://github.com/hex7c0/arc4.git

API

inside nodejs project

var rc4 = require('arc4');

var cipher = rc4('arc4', 'secret_key');
var d = cipher.encodeString('ciao');
var e = cipher.decodeString(d);

Methods

change your key and reload gKsa (warning)

cipher.change('foo');
cipher.change([30, 31]);
cipher.change(new Buffer('foo'));

encode a plaintext string, you can optionally choose input (defaults to 'utf8') and output (defaults to 'hex') encoding

cipher.encodeString(plaintext [, input_encoding [, output_encoding]]);
cipher.encodeString('string', 'utf8', 'base64');

encode a plaintext array

cipher.encodeArray([49, 50, 51]);

encode a plaintext buffer data

cipher.encodeBuffer(new Buffer('ciao'));

select right function according with plaintext data type. Set input and output encoding only if data is a String

cipher.encode(your_data [, input_encoding [, output_encoding]]);

decode a ciphertext string, you can optionally choose input (defaults to 'hex') and output (defaults to 'utf8') encoding

cipher.decodeString(ciphertext [, input_encoding [, output_encoding]]);
cipher.decodeString('string', 'utf8', 'base64');

decode a ciphertext array

cipher.decodeArray([49,50,51]);

decode a ciphertext buffer data

cipher.decodeBuffer(new Buffer('ciao'));

select right function according with ciphertext data type. Set input and output encoding only if data is a String

cipher.decode(your_data [, input_encoding [, output_encoding]]);

rc4(algorithm, password [, lodash])

algorithm

  • algorithm - String Choose between ["arc4", "rc4a", "vmpc", "rc4+"] (default "throw Error")

password

  • password - String | Array | Buffer Your key (default "throw Error")

[lodash]

  • lodash - Boolean Use lodash library (check benchmark test for right decision) (default "disabled")

Examples

Take a look at my examples

License GPLv3

arc4's People

Contributors

drazisil avatar hex7c0 avatar subtilior avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

dragonbane0 n0rdlicht

arc4's Issues

missing documentation

There is no documentation except code, the code is quite readable and fine, but still, one shouldn't have to read code to figure out that encodeString takes cleartext, input_encoding and output_encoding, etc. (And apart from utf-8 and base64 mentioned in examples, I still don't know what the available encodings are.)

RC4A: S2 shouldn't be duplicate of S1 (+ potential solution)

Your implementation of RC4A disregards the second key k2 required to produce S2, and you instead use k1. Thus S1 and S2 are duplicates. The correct behavior should be k2 being PRBG output with k1 as its seed. Despite that being a loose definition.

A quote from the original paper on RC4A regarding this:

We take one randomly chosen key k1.
Another key k2 is also generated from a pseudorandom bit generator (e.g. RC4) using k1 as the seed.
Applying the Key Scheduling Algorithm, as described in Fig. 1, we construct two S-boxes S1
and S2 using the keys k1 and k2 respectively.

Unfortunately this description is vague. k2 is only mentioned twice in the entire paper, which is covered by the above quote. They suggest that a "Pseudo-random bit generator such as RC4" be used, with k1 being its seed. But RC4 is a stream cipher and requires both a key and message, as does RC4A (and RC4A requires S2 to progress to the PRBG stage regardless). Are they suggesting one must implement RC4 to implement RC4A? They give no specifics of its implementation. This seemingly left out detail may cause separate implementations of RC4A to not be compatible, due solely to differences in handling S2.

The simplest solution to this would be to use the 256-byte output of S1 as the generative key for S2. The only problem with this approach is whether or not RC4's key-scheduling algorithm qualifies as a PRBG as described in the paper. If so, I would highly suggest using it.

dependency version of lodash (4.17.4) vulnerable

I just updated dependency of arc4 on lodash from version 4.17.4 to version 4.17.20 without any problems, since npm complained after installing arc4 (see below).

I'm not sure if it is safe to fix package.json here, for me it had no disadvantages.

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   arc4

  Path            arc4 > lodash

  More info       https://npmjs.com/advisories/577


  High            Prototype Pollution

  Package         lodash

  Patched in      >=4.17.11

  Dependency of   arc4

  Path            arc4 > lodash

  More info       https://npmjs.com/advisories/782


  High            Prototype Pollution

  Package         lodash

  Patched in      >=4.17.12

  Dependency of   arc4

  Path            arc4 > lodash

  More info       https://npmjs.com/advisories/1065


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.19

  Dependency of   arc4

  Path            arc4 > lodash

  More info       https://npmjs.com/advisories/1523

found 4 vulnerabilities (2 low, 2 high) in 3 scanned packages
  4 vulnerabilities require manual review. See the full report for details.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.