bitwiseshiftleft / sjcl

Stanford Javascript Crypto Library
http://bitwiseshiftleft.github.com/sjcl/
Other
7.19k stars 988 forks source link

Is this project maintained? #435

Open raxod502 opened 2 years ago

raxod502 commented 2 years ago

This project seems like a promising option for JavaScript cryptography; however, I notice that the latest release is from 4 years ago and the latest commit is from 3 years ago, and most recent issues on the tracker have received no comments.

Given how critical active maintenance is for security-sensitive projects (e.g. cryptographic libraries), is it safe to use this library in a production application?

paulmillr commented 1 year ago

No. It is also very slow.

CashCode commented 1 year ago

@paulmillr any alternatives for elGamal-ecc with high speed on js?

paulmillr commented 1 year ago

@CashCode for elgamal nothing i'm aware of; for ecc noble-curves

ben-ekw commented 1 year ago

How about a RequireJS-compatible alternative for AES and Base64? I like the simplicity of sjcl's encrypt/decrypt functions but there doesn't appear to be helper functions for Base64:

function encode(str) {
    // Base64 encode
    return sjcl.codec.base64.fromBits(sjcl.codec.utf8String.toBits(str));
  }

  function decode(str) {
    // Base64 decode
    return sjcl.codec.utf8String.fromBits(sjcl.codec.base64.toBits(str));
  }
paulmillr commented 1 year ago

no require.js, but

https://github.com/paulmillr/micro-aes-gcm https://github.com/paulmillr/scure-base

import { base64 } from '@scure/base';
import * as aes from 'micro-aes-gcm';
const message = 'Hello world';
const ciphertext = await aes.encrypt(key, aes.utils.utf8ToBytes(message));
const plaintext = await aes.decrypt(key, ciphertext);
console.log(aes.utils.bytesToUtf8(plaintext) === message);
const encoded = base64.encode(ciphertext);
const decoded = base64.decode(encoded);
ben-ekw commented 1 year ago

Thanks @paulmillr! My use case involves NetSuite SuiteScript which sadly does not support require/import/module. For anyone in a similar rare situation, here's a recap of my research of popular crypto libraries in case it's helpful:

sjcl works, but slow, not frequently updated, and has a recent security vulnerability: https://github.com/bitwiseshiftleft/sjcl/issues/438

crypto-js Error: Native crypto module could not be used to get secure random number (note: v3.1.9-1 [2017] was the last version that works with NetSuite)

aes-js works, but the recommended CTR option has security risk and the CBC option requires fixed-byte length text; also requires a third-party PBKDF solution to generate the key.


No support for RequireJS/AMD/UMD


Obsolete/Archived projects:


Not considered: hashing-only libraries, like BCrypt, with no decrypt capability