@kirkelliott/kdfts 2.0.0 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +4 -3
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -3,9 +3,9 @@
3
3
  [![CI](https://github.com/dmvjs/kdfts/actions/workflows/ci.yml/badge.svg)](https://github.com/dmvjs/kdfts/actions/workflows/ci.yml)
4
4
  [![license](https://img.shields.io/github/license/dmvjs/kdfts)](LICENSE)
5
5
 
6
- If you're storing passwords or deriving secrets that must survive a server compromise, the salt is what attackers try to precompute. A stolen PRNG seed, a weak entropy source, or a future algorithm break can reconstruct every salt you've ever generated. `kdfts` removes that attack surface by sourcing salt from the [ANU Quantum Random Number Generator](https://quantumnumbers.anu.edu.au) photon shot noise at a beam splitter. Those bytes were never produced by an algorithm. There is no state to steal.
6
+ Argon2id KDF with optional quantum-backed salt provenance. Salt is sourced from the [ANU Quantum Random Number Generator](https://quantumnumbers.anu.edu.au) (photon shot noise at a beam splitter) when available, with `strict` mode for deployments where that provenance is required. Falls back to `crypto.getRandomValues()` otherwise.
7
7
 
8
- Falls back silently to `crypto.getRandomValues()` when the ANU API is unavailable.
8
+ Standard CSPRNGs already satisfy OWASP's salt requirements. The ANU source adds auditable entropy provenance — useful for compliance workflows or systems that need to document their randomness chain, not a substitute for strong KDF parameters.
9
9
 
10
10
  ## Install
11
11
 
@@ -77,10 +77,11 @@ const [keyA, keyB] = await Promise.all([
77
77
 
78
78
  | Option | Type | Default | Description |
79
79
  |---|---|---|---|
80
- | `context` | `string` | — | Domain separation string. Mixed in as `password \|\| 0x00 \|\| context`. |
80
+ | `context` | `string` | — | Domain separation string, passed as Argon2id `associatedData`. Embedded in the hash — no need to pass to `verify()`. |
81
81
  | `saltBytes` | `number` | `32` | Bytes of quantum entropy to fetch. |
82
82
  | `keyLength` | `number` | `32` | Output key length in bytes. |
83
83
  | `cost` | `{ timeCost, memoryCost, parallelism }` | `{ timeCost: 3, memoryCost: 65536, parallelism: 4 }` | Argon2id parameters. `memoryCost` is in KiB. Embedded in the hash — no need to track separately. |
84
+ | `strict` | `boolean` | `false` | Throw if the ANU source is unavailable instead of falling back to `crypto.getRandomValues()`. |
84
85
  | `source` | `QuantumSource` | — | Pre-created source for reuse or testing. |
85
86
 
86
87
  ## Security notes
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@kirkelliott/kdfts",
3
- "version": "2.0.0",
3
+ "version": "2.0.1",
4
4
  "description": "Quantum-seeded KDF — Argon2id with salt from ANU vacuum fluctuations",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",