npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

jstink

v1.2.5

Published

A simple, easy-to-use Javascript crytopgraphy library.

Downloads

113

Readme

jstink

A simple, easy-to-use Javascript crytopgraphy library.

Description

Google's excellent Tink cryptographic library exists to help developers without cryptographic backgrounds safely implement common cryptographic tasks.

Unfortunately for Javascript developers, there is no production-ready Javascript version available.

jstink was built to fill this gap. It provides a very simple API that is hard to misuse, and is compatible with Tink ciphertexts and with Tinkey encrypted keysets.

jstink currently only supports AES encryption in GCM mode. AES (Advanced Encryption Standard) is recommended by NIST for federal use in the encryption of classified and unclassified data. GCM (Galois/Counter Mode) is also recommended by NIST and provides authentication as well as encryption - that is it ensures the integrity and authenticity of encrypted data in addition to ensuring confidentiality. GCM also accepts associated data which is authenticated but not encrypted.

jstink currently only supports Tink keysets encrypted with AWS KMS keys.

Getting Started

Let's walk through setting up a simple project that can encrypt and decrypt data using an AES256_GCM key that has been encrypted with a master key stored in AWS KMS. These steps assume you have Node.js and npm already installed.

  1. Create a new Node.js project

  2. Inside of the project, install jstink using npm:

npm install jstink
  1. Create a new symmetric key in AWS KMS that will be used to encrypt our Tinkey data encryption key. This step assumes you have the AWS CLI installed and configured:
aws kms create-key --description "Key for jstink encryption"

Make a note of the key ARN as you'll need it later.

  1. Install Tinkey.

  2. Create a new Tinkey key, envelope encrypted with your newly created AWS KMS key:

tinkey create-keyset \
    --key-template AES256_GCM \
    --out keyset.json \
    --master-key-uri aws-kms://${MASTER_KEY_ARN}

Because this key is envelope encrypted with the AWS KMS key you can store it with the data or with the application.

  1. Now you can encrypt and decrypt data:
const { Aead } = require('jstink');
const fs = require('fs');

const keyset = JSON.parse(fs.readFileSync('./keyset.json'));
const aead = new Aead(keyset);

const ciphertext = await aead.encrypt('Hello World!', 'associatedData');
const plaintext = await aead.decrypt(ciphertext, 'associatedData');
  1. At some point, as determined by your cryptoperiod, you'll want to rotate your keys. Tinkey makes this nice and easy. First, create a new key:
tinkey add-key \
    --key-template AES256_GCM \
    --in keyset.json \
    --out keysetv2.json \
    --master-key-uri aws-kms://${MASTER_KEY_ARN}

Once you've deployed this keyset, you can make it the default for encryption:

tinkey promote-key \
    --key-id <new-key-id> \
    --in keysetv2.json \
    --out keysetv3.json \
    --master-key-uri aws-kms://${MASTER_KEY_ARN}

Decrypt operations will still use the key that was used for encryption (the encryption key ID is stored as part of the Tink wire format). To completely remove the old key (e.g. in the event of a compromise) you'll need to run a process to re-encrypt all data encrypted with the old key, then you can delete the old key:

tinkey delete-key \
    --key-id <key-id> \
    --in keysetv3.json \
    --out keysetv4.json \
    --master-key-uri aws-kms://${MASTER_KEY_ARN}

Using Authenticated Associated Data (AAD)

The GCM algorithm used by jstink is an Authenticated Encryption with Associated Data (AEAD) encryption method. This means that it provides for authentication as well as confidentiality, and also allows the message to contain "associated data". This associated data is authenticated but not encrypted. A decryption operation will only work if the same associated data is used for decryption that was used for encryption.

One use of AAD is to bind a ciphertext to it's encryption context. For example, we can use a username as the associated data for data that is encrypted for a specific user:

const ciphertext = await aead.encrypt(userData, username);

This can prevent attacks where encrypted data is 'cut-and-pasted' from one user to another.