@squeep/mystery-box
v2.0.3
Published
Secure a payload in a web-safe format.
Downloads
24
Readme
Mystery Box
Our very own way of converting a buffer or serializable object to and from an opaque and web-safe representation, which we can let anyone see without disclosing the contents, nor allowing it to be modified without detection.
In our case, this results in a Base64URL encoded string containing a bespoke packing of encrypted and verified data.
API
async pack(contents, version, flags)
async unpack(box)
Example
const { MysteryBox } = require('@squeep/mystery-box');
const assert = require('assert');
const mb = new MysteryBox({
encryptionSecret: 'very secret',
});
(async () => {
const data = { important: 'to keep secret' };
const encrypted = await mb.pack(data);
const decrypted = await mb.unpack(encrypted);
assert.deepStrictEqual(decrypted, data);
})()
.then(() => console.log('data retrieved!'));
Details
This relies on AEAD ciphers, such as aes-256-gcm
and chacha20-poly1305
, to encrypt the payload and authenticate the additional metadata (version identifier, flags indicating payload details, the iv of the cipher, and the salt used to create the key) needed to decrypt the payload.
For each box, a new key is generated using the stored secret and a securely-random salt by way of a mechanism such as an XOF such as shake256
, a hash such as blake2b512
, or a more time-consuming multi-round hash such as scrypt
. This key is used to encrypt and authenticate the data and metadata, which is then encoded as a base64url string.
Statistics
A statistics
event is emitted for every pack or unpack, containing timing and other information.