The JavaScript blog.


libraries cryptography modules


Posted on .

TweetNaCl.js (GitHub: dchest/tweetnacl-js, npm: tweetnacl) is a JavaScript port of TweetNaCl -- a cryptography library in 100 tweets.

NaCl in this case isn't Google Native Client or sodium chloride, but a library for fast cryptographic operations. TweetNaCl builds on it to implement an auditable high-security cryptographic library. There's a paper on it with more details.

TweetNaCl.js is interesting because it ports all of this to JavaScript, using the new 64-bit TypedArray APIs, like Float64Array. It implements secret-key authenticated encryption, public-key authenticated encryption, hashing, and public-key signatures.

One of the authors, Dmitry Chestnykh, said this about the library:

It's not a toy crypto library: the underlying primitives are djb's (https://en.wikipedia.org/wiki/Daniel_J._Bernstein) XSalsa20, Poly1305, Curve25519, and Ed25519, which are used OpenSSH and draft TLS (http://googleonlinesecurity.blogspot.com/2014/04/speeding-up-and-strengthening-https.html5).

You can install it with npm or Bower. As far as usage goes, I've been looking at the code in the tests to get a feel for how it works, but there's documentation in the readme as well:

test('nacl.sign and nacl.sign.open specified vectors', function(t) {  
  specVectors.forEach(function(vec) {
    var keys = nacl.sign.keyPair.fromSecretKey(dec(vec[0]));
    var msg = dec(vec[1]);
    var goodSig = dec(vec[2]);

    var sig = nacl.sign(msg, keys.secretKey);
    t.equal(enc(sig), enc(goodSig), 'signatures must be equal');
    var openedMsg = nacl.sign.open(msg, sig, keys.publicKey);
    t.equal(enc(openedMsg), enc(msg), 'messages must be equal');


node cryptography modules security mysql

Node Roundup: otr, matches.js, mariasql

Posted on .

You can send in your Node projects for review through our contact form or @dailyjs.

Off-the Record Messaging Protocol

otr (License: LGPL, npm: otr) by Arlo Breault is an implementation of an Off-the Record Messaging Protocol:

Off-the-Record Messaging, commonly referred to as OTR, is a cryptographic protocol that provides strong encryption for instant messaging conversations. OTR uses a combination of the AES symmetric-key algorithm, the Diffie–Hellman key exchange, and the SHA-1 hash function. In addition to authentication and encryption, OTR provides perfect forward secrecy and malleable encryption.

It's designed to be used in browsers, but can also be used with Node. The readme has details on how to get started with otr, and the author notes that the project has been used by Cryptocat.


matches.js (License: MIT, npm: matches) by Nathan Faubion is a pattern matching shorthand library that can create new objects with a convenient wrapper:

var myfn = pattern({  
  // Null
  'null' : function () {...},

  // Undefined
  'undefined' : function () {...},

  // Numbers
  '42'    : function () { ... },
  '12.6'  : function () { ... },
  '1e+42' : function () { ... },

  // Strings
  '"foo"' : function () { ... },

  // Escape sequences must be double escaped.
  '"This string \\n matches \\n newlines."' : function () { ... }

The author has used this library to create adt.js, which is a library for making pseudo-algebraic types and immutable structures:

... I say pseudo because it just generates classes with boilerplate that make them look and work like types in functional languages like Haskell or Scala. It works in the browser or on the server.


mariasql (License: MIT, npm: mariasql) by Brian White is a high performance, single-threaded, asynchronous, cross-platform MySQL driver. It's based on libmariadbclient, and the author notes that it works more like a typical Node module:

This module strives to keep with the "node way" by never buffering incoming rows. Also, to keep things simple, all column values are returned as strings (except MySQL NULLs are casted to JavaScript nulls).

Brian has posted benchmarks that compare various SQL operations across several client libraries, including C and PHP-based samples: MySQL client library benchmarks.


libraries graphics cryptography documentation security

Mozilla Secure Coding Guidelines, Raphaël 2.0, cryptico.js

Posted on .

Mozilla Secure Coding Guidelines

Mozilla's WebAppSec/Secure Coding

is a set of coding guidelines for developing secure applications.
There's a lot information about securing application layer
communications, but there's also some JavaScript-specific advice.
JavaScript input validation is considered, along with preventing XSS
attacks, and uploads as a JavaScript-based XSS attack vector.

Mozilla also introduced Aurora
which includes a JavaScript interface for Do Not
and the addition of type inference.

Raphaël 2.0

Dmitry Baranovskiy has released Raphaël 2.0
(GitHub: DmitryBaranovskiy / raphael). Dmitry wrote a
post on February 10th about the planned features for Raphaël
The GitHub history indicates that this version has a new VRML version,
and the project has been split up into three files: raphael.svg.js,
raphael.vml.js, and raphael.core.js.

If you want to figure out the other changes, either look through
Raphaël's documentation or try to read more of the history on GitHub.


cryptico.js (Google Code: cryptico, License: New BSD License) is a public key cryptography library that can generate RSA key
pairs, encrypt and decrypt messages.

Keys can be generated with cryptico.generateRSAKey(passPhrase,
, and messages can be encrypted with
cryptico.encrypt(message, publicKeyString).

The cryptico documentation
includes notes on the library's implementation:

A hash is generated of the user's passphrase using the SHA256 algorithm found at webtoolkit.info. This hash is used to seed David Bau's seedable random number generator. A (seeded) random RSA key is generated with Tom Wu's RSA key generator with 3 as a hard-coded public exponent.


graphics cryptography

Pixastic, JavaScript TLS

Posted on .


Pixastic (MPL) uses the canvas element to apply effects to images. The supported effects include blur, noise,
emboss, brightness/contrast, desaturate, and noise removal.

The source code is available on GitHub under
jseidelin/pixastic. There's also a photo editor demo that uses the

Like many similar libraries, the core of the plugin relies on
getImageData from the canvas API.

A JavaScript TLS Implementation

Forge is a JavaScript TLS implementation. TLS (Transport Layer Security) is a cryptographic
protocol for secure client/server communication. Forge currently depends
on Flash for sockets, but it could remove the dependency in the future.

The authors have written a detailed background to the library in two
parts, including the rationale behind implementing TLS in JavaScript: