Comments (6)
Yes please, this is critical in cases where someone compromises their key
from cryptico.
Not going to happen. This lib is a distinct approach from what you want.
Usually, passphrase is used to encrypt an existing private key. Thus, it can be decrypted and then encrypted using different passphare.
This lib utilizes passphase as a seed for random number generator. Thus, private key is uniquely and tightly coupled with its passphare.
Think of it the same way as of a hash function. A hash function deterministically maps its input to some hash. You cannot just change one input to another input, chosen by your wish, and still get the same hash on output.
You would use this lib if you don't want to store private key. Thus, for an end-user of your application, passphase becomes indistinguishable from private key in matter of its usage and purpose. Lost passphrase = lost private key.
The practical applications of this are rare and should be well-thought-out before deployment, I would say. The enthropy of a key is very low (few orders of magnitude lower than should be for strong private key). Such approach is good for proving the knowledge of a passhprase to other party, but really bad for actual data encryption.
If you're already storing private keys, you should consider truly random generation for private keys and some common symmetric encryption with passphrase to secure a private key. Maybe, something like this https://github.com/brix/crypto-js#aes-encryption
from cryptico.
@arantir
can you use an trully random generation for passphrase and keep this code to generate the private key?
from cryptico.
@Elmapul I guess you want to generate a secure (to some extent) RSA key purely on client-side (in other words generate a key with a sophisticated server-side software and send it to the client is not a case for you). If so, then... yes, this can do the trick.
The concerns are how good is the randomness of your passphrase and how good is PRNG implementation in the library (this claim is true for any lib which generates a key from a seed), but I'm not that much of an expert in cryptography to judge.
from cryptico.
@arantir If this is really the way it operates, you should make this much clearer in the documentation. As it stands, a cursory look at this definitely leads people to misinterpret what this library does (as evidenced by the response on this issue)
from cryptico.
@fresheneesz Sorry, I'm not the owner or contributor (also have no intention to be the one), just used the lib few times long ago.
The way it operates is described on the front page https://github.com/wwwtyro/cryptico#encryption-technical-documentation
from cryptico.
Related Issues (20)
- How can I get the private key from the generated RSA key object? HOT 1
- Can cryptico use WebCrypto to accelerate the generation of RSA key pairs?
- RSA OAEP padding
- Cryptico for hybrid mobile apps
- is generateRSAKey() deterministic? HOT 4
- store javascript object rsa private key HOT 2
- cryptico for native ios application
- Add toJSON and fromJSON methods
- Uncaught TypeError: Cannot read property 'toString' of undefined HOT 3
- bnpFromNumber logical bug
- [feature suggestion] PEM support HOT 2
- Decrypt on Server Side HOT 1
- Getting error "Message too long for RSA (n=32, l=32)" HOT 1
- Can't encrypt text
- In jsbn, what is the correct function of variable DV?
- sign without encrypt?
- UTF-8 Support HOT 1
- Install cryptico HOT 1
- Can't encrypt text with Turkish characters? HOT 5
- a bug in library
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cryptico.