We are using crypto package in our node js app. The thing is we do not want the developer to know about the encryption algorithm we implemented. However, the developer would be knowing the encryption algorithm and the encryption key as they can view the source code of the encryption algorithm.
So my question is: is it possible to compile the encryption algorithm into a file like dll(.NET) or jar file (java) and include it in the project (open source solution). If not, how to prevent developer from viewing the source code?
The final expectation is the developer will know we use crypto package, but do not know we use what algorithm and key we implemented.
Note: I do not expect solution of restricting file access to the user nor hosting it in another environment.
node-ffi is a Node.js addon for loading and calling dynamic libraries using pure JavaScript. It can be used to create bindings to native libraries without writing any C++ code.
https://github.com/node-ffi/node-ffi
Related
I have a project which is a web application which is using Django framework which contains python and shell scripts in it.
I wanted to Encrypt the package, so that the customers couldn't read/write what's there inside.
Is there a way to encrypt the packages.
You cannot succeed via encryption or obfuscation etc.. Depending on your clients, a simple contract, and maybe some really basic checks will go a long much further than some complicated decryption system.
It's like hiding your URL on your website so hacker won't find it ... with very simple tool this break, same goes for you.
You might try to ship it as .pyc (Python compiled byte-code), but again... simple for them to reverse it.
I don't want to install another openssl when knowing Google gRPC has a working version of boringSSL.
Now, my challenge is to be able to access some functionalities such as calculate a salt and CMAC.
I am aware that Google does not promote the use of it in case something changes and breaks my code.
I saw there is file called 'binding.gyp' in the root of node_modules/grpc, but don't know if possible to use it.
Any suggestions are welcome.
Thanks
There are several layers of problems with your question, and it's missing a lot of context, but here's a few things I can provide based on what I am getting:
First, grpc-node is deprecated, and you should move over to grpc-js, which is no longer containing native code.
Then, grpc-node doesn't actually use BoringSSL, it's in fact relying on nodejs exposing OpenSSL itself as a native API.
And finally, you're supposed to be able to use nodejs' exposed OpenSSL API in a native node module: https://nodejs.org/api/addons.html#addons_linking_to_libraries_included_with_node_js
first things first , i have seen nwsnapshot. and its not helping.
i am building an inventory management system as a desktop app using node-webkit . the project being built is using compoundjs (mvc javascript library). which have a definite folder structure (you know mvc) and multiple javascript files inside them.
the problem is nwsnapshot allows the app to have only a single snapshot file but the logic of application is spread over all the folders in different javascript files.
so how do i secure my source code before shipping it to client? Or any other work-around Or smarter way (yes, i know about obfuscating).
You can use nodewebkit command called nwsnapshot to compile the javascript code into binary which will be loaded into the app without specifying any js file
nwsnapshot --extra-code application.js application.bin
in your package.json add this:
snapshot: 'application.bin'
It really depends on what you mean by "secure".
You can obfuscate your javascript code fairly well (as well as potentially improve performance) by using the Google Closure Compiler.
I'm not aware of any off-the-shelf solutions to encrypt/decrypt your javascript, and honestly I would question the need for that.
Some people think they need to make it impossible to view their source code, because they're used to dealing with compiled languages where you only ship binaries to users. The fact is, reverse-engineering that binary code was never as difficult as some people think it is, so if there's any financial incentive, there is practically no difference between shipping source code and the traditional shipping of binaries.
Some languages have offered genuine encryption of deployed assets, such as Microsoft's SLPS. It seems to me that the market for this was so small that Microsoft gave it to a partner (just my view). The truth is that most customers are not interested in taking your source code; they're far more interested in your ability to service and support that code in an efficient manner, while they get on with their job.
You may consider to merge the JS files into one in the build process and compile it.
I use dovecot as my mail transfer agent and I aim to use the strongest password scheme which is supported by my system: SHA512-CRYPT or SHA256-CRYPT (BLF-CRYPT doesn't work).
For my own written webinterface I look for a function or library in node.js for hashing a password (with SHA***-CRYPT).
You may consider checking: https://github.com/mvo5/sha512crypt-node which contains a implementation for sha512crypt in JS. Its very new but passes the testvectors from the glibc reference implementation.
Check out my fork of shacrypt - a Node.js addon that supports SHA-256 crypt and SHA-512 crypt password hashing.
I extended it to:
Support asynchronous operation where computation is performed in Node.js's libuv thread pool, so it won't block the event loop.
Allow the module to be built under Windows
You will need to have C++ build tools installed on your system to successfully install the package. If you are running under Windows, you can download Microsoft's Build Tools for Visual Studio 2017.
Link:
https://github.com/vlasky/shacrypt
Have you seen this page:
cryto.createHash sha512 with hexDigest input type
You can use crypto.createHash function, but why SHA512? Are you sure you need it for your website?
I'd like to incorporate security features in my standalone XULRunner app. Specifically, I'd like to use security certificates to validate the app executable as downloaded by a user. From what I've seen, its called code signing. But I'm very green in this area. Any pointers on how to proceed? Thanks in advance.
The certificate functionality built into XULRunner isn't meant to validate signatures of Windows executables - you would need to use Windows functions for that (e.g. via js-ctypes). Not going to be simple however, here you can see how that check works in C++ code.
However, if you are merely downloading an update to your application then maybe using an HTTPS connection would be sufficient - the origin of the executable is verified then (won't help you if that server is hacked however).