Merge pull request #23517 from geekpi/translating

translated
This commit is contained in:
geekpi 2021-10-12 08:52:31 +08:00 committed by GitHub
commit b50849ec0e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 70 additions and 71 deletions

View File

@ -1,71 +0,0 @@
[#]: subject: "3 new features of the latest OpenPGP.js version"
[#]: via: "https://opensource.com/article/21/10/openpgpjs"
[#]: author: "Daniel Huigens https://opensource.com/users/twiss"
[#]: collector: "lujun9972"
[#]: translator: "geekpi"
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
3 new features of the latest OpenPGP.js version
======
OpenPGP.js is a cryptography library that implements the OpenPGP
standard, most commonly used for email encryption.
![email or newsletters via inbox and browser][1]
[OpenPGP.js][2] is a cryptography library that implements the [OpenPGP standard][3], most commonly used for email encryption. ProtonMail, Mailvelope, and FlowCrypt all use OpenPGP.js, to name a few. That means the OpenPGP.js library encrypts millions of users' messages.
The OpenPGP standard, first published in the 1990s, like almost anything, requires maintenance and updating for both security and usability. A "crypto refresh" of the standard [is in the works][4], which adds modern encryption algorithms and deprecates outdated ones. To improve usability, various email applications now allow users to seamlessly encrypt their communication—without managing their keys or those of their contacts.
First released in 2014, OpenPGP.js began based on an early prototype called GPG4Browsers, which is based on several scripts by Herbert Hanewinkel (among other contributors). The second version of OpenPGP.js, released in 2016, was completely reworked to use Uint8Arrays instead of strings (which significantly increased its performance) and modern ES6 modules rather than CommonJS modules internally. Versions 3 and 4, both released in 2018, added support for Elliptic-curve cryptography (ECC) and streaming, respectively.
My team and I continue working on OpenPGP.js to ensure its evolution as an easy-to-use library for strong encryption.
### 1\. Elliptic-curve cryptography by default
In OpenPGP.js version 4, RSA was used when generating new keys by default. Although ECC is faster and more secure, Curve25519 had not been standardized in the OpenPGP specification yet. The crypto refresh draft does include Curve25519, and it is expected to be included "as is" in the next version of the OpenPGP specification, so OpenPGP.js version 5 now generates keys using ECC by default.
### 2\. Import only the modules you need
Similarly, while OpenPGP.js used ES6 modules internally for years, version 4 still didn't publish a proper ES6 module. Instead, it published only a Univeral Module Definition (UMD) module that could run both in the browser and on Node.js. In version 5, this changes by publishing separate modules for the browser and Node.js (both ES6 and non-ES6), making it easier for library users to import OpenPGP.js on all platforms and (when using the ES6 module) only import the parts they need. This is enabled in large part by switching the build system to [rollup][5].
### 3\. Reject weak cryptography
There are also many other security improvements. For example, 1024-bit RSA keys, ElGamal, and DSA keys are considered insecure and are rejected by default. Additionally, where version 4 already defaulted to AES-encryption, version 5 now refuses to encrypt using weaker algorithms entirely by default, even if the public key claims to only support a weaker algorithm. It instead assumes that all OpenPGP implementations support AES (which has been the case for a very long time).
### What's next for OpenPGP.js
Looking ahead, there are some security improvements to make. Key fingerprints, used to identify public keys, still use SHA-1, though a fix for this is planned in the crypto refresh. In the meantime, it is recommended to use different means to ascertain the authenticity of any public key used for encryption, such as by fetching the entire key directly from the recipient's domain using the proposed [Web Key Directory (WKD)][6] standard—already implemented by various [email providers][7]. WKD support was built into OpenPGP.js version 4 but is a separate module in version 5 to keep the main library lean.
Similarly, when encrypting messages or files with a password rather than a public key (uncommon when using OpenPGP for email encryption, but more so when used for encrypted backups, for example), the password is converted to a symmetric key using a relatively weak key derivation function (KDF). It is thus advisable for applications to pass the user's password through a strong KDF, such as [Argon2][8] or [scrypt][9], before passing it to OpenPGP.js. Hopefully, the crypto refresh will include one of these algorithms to implement in a future version of OpenPGP.js.
### How to use OpenPGP.js version 5
For now, though, OpenPGP.js version 5 has been [published][10] to the npm package registry. If you like, feel free to try it out! Feedback is welcome in the [discussions tab][11] on GitHub. Please note, however, that while OpenPGP.js is a general-purpose encryption library, its primary use case is in situations where compatibility with the OpenPGP specification is required (for example, when sending or receiving PGP-encrypted email). For other use cases, a different library may be a more appropriate or performant choice. In general, of course, be careful when rolling any crypto.
Thanks for reading, and here's to securing the future of email!
--------------------------------------------------------------------------------
via: https://opensource.com/article/21/10/openpgpjs
作者:[Daniel Huigens][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/twiss
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/newsletter_email_mail_web_browser.jpg?itok=Lo91H9UH (email or newsletters via inbox and browser)
[2]: https://github.com/openpgpjs/openpgpjs
[3]: https://tools.ietf.org/html/rfc4880
[4]: https://datatracker.ietf.org/doc/charter-ietf-openpgp/
[5]: https://rollupjs.org/
[6]: https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service
[7]: https://wiki.gnupg.org/WKD#Mail_Service_Providers_offering_WKD
[8]: https://en.wikipedia.org/wiki/Argon2
[9]: https://en.wikipedia.org/wiki/Scrypt
[10]: https://www.npmjs.com/package/openpgp
[11]: https://github.com/openpgpjs/openpgpjs/discussions

View File

@ -0,0 +1,70 @@
[#]: subject: "3 new features of the latest OpenPGP.js version"
[#]: via: "https://opensource.com/article/21/10/openpgpjs"
[#]: author: "Daniel Huigens https://opensource.com/users/twiss"
[#]: collector: "lujun9972"
[#]: translator: "geekpi"
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
最新 OpenPGP.js 版本的 3 个新功能
======
OpenPGP.js 是一个实现了 OpenPGP 标准的密码学库,最常用于电子邮件加密。
![email or newsletters via inbox and browser][1]
[OpenPGP.js][2]是一个实现了 [OpenPGP 标准][3]的密码学库最常用于电子邮件加密。ProtonMail、Mailvelope 和 FlowCrypt 都使用 OpenPGP.js这仅仅是其中一些。这意味着 OpenPGP.js 库对数百万用户的信息进行了加密。
OpenPGP 标准首次发布于 20 世纪 90 年代,像几乎任何东西一样,需要维护和更新,以保证安全和可用性。该标准的“加密刷新”[正在进行中][4],它增加了现代的加密算法并废除了过时的算法。为了提高可用性,各种电子邮件应用程序现在允许用户无缝加密他们的通信,用户无需管理他们的密钥或他们的联系人的密钥。
OpenPGP.js 于 2014 年首次发布,开始基于一个名为 GPG4Browsers 的早期原型,该原型基于 Herbert Hanewinkel以及其他贡献者的几个脚本。OpenPGP.js 的第二个版本于 2016 年发布,完全重新设计,使用 Uint8Arrays 而不是字符串(这大大增加了其性能),并在内部使用现代 ES6 模块而不是 CommonJS 模块。第 3 和第 4 版都是在 2018 年发布的分别增加了对椭圆曲线加密法ECC和流媒体的支持。
我和我的团队继续在 OpenPGP.js 上工作,以确保其发展为一个易于使用的强加密库。
### 1\. 默认的椭圆曲线加密
在 OpenPGP.js 第 4 版中,生成新密钥时默认使用 RSA。虽然 ECC 更快、更安全,但 Curve25519 还没有在 OpenPGP 规范中得到标准化。加密刷新草案包括了 Curve25519并且预计它将“按原样”包含在下一版本的 OpenPGP 规范中,因此 OpenPGP.js 第 5 版现在默认使用 ECC 生成密钥。
### 2\. 只导入你需要的模块
同样,虽然 OpenPGP.js 内部使用 ES6 模块多年,但第 4 版仍然没有发布一个合适的 ES6 模块。相反它只发布了一个通用模块定义UMD模块可以在浏览器和 Node.js 上运行。在第 5 版中,这种情况有所改变,为浏览器和 Node.js 发布了单独的模块(包括 ES6 和非 ES6使库用户更容易在所有平台上导入 OpenPGP.js ,且(当使用 ES6 模块时)只导入他们需要的部分。这在很大程度上是通过将构建系统切换到 [rollup][5] 来实现的。
### 3\. 拒绝弱加密技术
还有许多其他的安全改进。例如1024 位 RSA 密钥、ElGamal 和 DSA 密钥被认为是不安全的,并被默认拒绝。此外,第 4 版已经默认使用 AES 加密,第 5 版现在完全默认拒绝使用较弱的算法进行加密,即使公钥声称只支持较弱的算法。相反,它假定所有的 OpenPGP 实现都支持 AES这种情况已经存在很长时间了
### OpenPGP.js 的下一步是什么?
展望未来,有一些安全方面的改进要做。用于识别公钥的密钥指纹仍然使用 SHA-1尽管在加密技术更新中计划对此进行修复。同时建议使用不同的方法来确定用于加密的任何公钥的真实性例如使用提议的[网络密钥目录 WKD][6]标准直接从收件人的域中获取整个密钥,这已经由各种[电子邮件提供商][7]实现。WKD 支持内置于 OpenPGP.js 第 4 版,但在第 5 版中是一个单独的模块,以保持主库的精简。
同样,当用密码而不是公钥加密信息或文件时(例如:在使用 OpenPGP 进行电子邮件加密时不常见但在用于加密备份时更常见密码会使用相对较弱的密钥衍生函数KDF转换为对称密钥。因此建议应用在将用户的密码传递给 OpenPGP.js 之前,先通过一个强大的 KDF如 [Argon2][8] 或 [scrypt][9]。希望加密技术的刷新会包括这些算法中的一种,以便在未来的 OpenPGP.js 版本中实现。
### 如何使用 OpenPGP.js 第 5 版
不过现在OpenPGP.js 第 5 版已经[发布][10]到 npm 仓库。如果你喜欢,可以随时试用!欢迎在 GitHub 的[讨论标签][11]中进行反馈。然而,请注意,虽然 OpenPGP.js 是一个通用的加密库,但它的主要使用情况是在需要与 OpenPGP 规范兼容的情况下(例如,在发送或接收 PGP 加密的电子邮件时)。对于其他的使用情况,不同的库可能是一个更合适或性能更好的选择。当然,总的来说,在推广任何加密技术时都要小心。
感谢阅读,这里是保护电子邮件的未来!
--------------------------------------------------------------------------------
via: https://opensource.com/article/21/10/openpgpjs
作者:[Daniel Huigens][a]
选题:[lujun9972][b]
译者:[geekpi](https://github.com/geekpi)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/twiss
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/newsletter_email_mail_web_browser.jpg?itok=Lo91H9UH (email or newsletters via inbox and browser)
[2]: https://github.com/openpgpjs/openpgpjs
[3]: https://tools.ietf.org/html/rfc4880
[4]: https://datatracker.ietf.org/doc/charter-ietf-openpgp/
[5]: https://rollupjs.org/
[6]: https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service
[7]: https://wiki.gnupg.org/WKD#Mail_Service_Providers_offering_WKD
[8]: https://en.wikipedia.org/wiki/Argon2
[9]: https://en.wikipedia.org/wiki/Scrypt
[10]: https://www.npmjs.com/package/openpgp
[11]: https://github.com/openpgpjs/openpgpjs/discussions