search

krakenjs / kraken-example-with-passport

An example integrating kraken with passport authentication
53 stars 33 forks source link

bcrypt? Why not use the built-in crypto ? #15

Closed dennishall1 closed 8 years ago

dennishall1 commented 8 years ago

It seems that it would be better to use the built-in crypto module. It's basically a binding to OpenSSL, a fast, stable, secure, and well-vetted crypto library. Bonus: one less external dependency---and one that has to be BUILT at that (things that need node-gyp create slower npm i times, always nice to avoid).

If you're looking to encrypt data, all you have to do is call crypto.createCipher, which returns a readable/writable Stream. Write data into the stream and it will emit data events with the encrypted data.

For example:

var stream = crypto.createCipher('aes192', 'mysecretpassword');
stream.on('data', function(enc) {
    // enc is a `Buffer` with a chunk of encrypted data
});

stream.write('some secret data');
stream.end();
aredridel commented 8 years ago

Yeah, that's not a replacement: bcrypt is a hash, and an intentionally slow one, not a cipher. It's meant specifically to hash passwords, to resist brute forcing en masse even in the case that the password hash is leaked or exfiltrated. The closest equivalent in OpenSSL is PBKDF2, and that might be a reasonable alternative.

Also you may want to look thrice at OpenSSL as 'stable, secure and vetted'. It's been continuously condemned as a horror show of bad practices, some of them requiring API breaks to fix. Hence the BoringSSL, LibreSSL and other related projects existing (and having discovered major OpenSSL bugs along the way in their creation)

dennishall1 commented 8 years ago

:D noted. I'm glad there was thought put into this.