A passionate developer from Italy. I am a technical leader experienced in building, scaling and restructuring high-performing distributed remote tech teams.
- ๐ซ How to reach me [email protected]
rc4 stream cipher for Nodejs
Home Page: https://github.com/hex7c0/arc4
License: GNU General Public License v3.0
A passionate developer from Italy. I am a technical leader experienced in building, scaling and restructuring high-performing distributed remote tech teams.
I just updated dependency of arc4 on lodash from version 4.17.4 to version 4.17.20 without any problems, since npm complained after installing arc4 (see below).
I'm not sure if it is safe to fix package.json here, for me it had no disadvantages.
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of arc4
Path arc4 > lodash
More info https://npmjs.com/advisories/577
High Prototype Pollution
Package lodash
Patched in >=4.17.11
Dependency of arc4
Path arc4 > lodash
More info https://npmjs.com/advisories/782
High Prototype Pollution
Package lodash
Patched in >=4.17.12
Dependency of arc4
Path arc4 > lodash
More info https://npmjs.com/advisories/1065
Low Prototype Pollution
Package lodash
Patched in >=4.17.19
Dependency of arc4
Path arc4 > lodash
More info https://npmjs.com/advisories/1523
found 4 vulnerabilities (2 low, 2 high) in 3 scanned packages
4 vulnerabilities require manual review. See the full report for details.
There is no documentation except code, the code is quite readable and fine, but still, one shouldn't have to read code to figure out that encodeString takes cleartext, input_encoding and output_encoding, etc. (And apart from utf-8 and base64 mentioned in examples, I still don't know what the available encodings are.)
There are 20 versions of arc4 in https://eprint.iacr.org/2014/315 which you could try and implement as they are all unique in their own way.
Your implementation of RC4A disregards the second key k2
required to produce S2
, and you instead use k1
. Thus S1
and S2
are duplicates. The correct behavior should be k2
being PRBG output with k1
as its seed. Despite that being a loose definition.
A quote from the original paper on RC4A regarding this:
We take one randomly chosen key
k1
.
Another keyk2
is also generated from a pseudorandom bit generator (e.g. RC4) usingk1
as the seed.
Applying the Key Scheduling Algorithm, as described in Fig. 1, we construct two S-boxesS1
andS2
using the keysk1
andk2
respectively.
Unfortunately this description is vague. k2
is only mentioned twice in the entire paper, which is covered by the above quote. They suggest that a "Pseudo-random bit generator such as RC4" be used, with k1
being its seed. But RC4 is a stream cipher and requires both a key and message, as does RC4A (and RC4A requires S2
to progress to the PRBG stage regardless). Are they suggesting one must implement RC4 to implement RC4A? They give no specifics of its implementation. This seemingly left out detail may cause separate implementations of RC4A to not be compatible, due solely to differences in handling S2
.
The simplest solution to this would be to use the 256-byte output of S1
as the generative key for S2
. The only problem with this approach is whether or not RC4's key-scheduling algorithm qualifies as a PRBG as described in the paper. If so, I would highly suggest using it.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.