cryptography

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

When this skill is activated, always start your first response with the 🧢 emoji.

当激活此Skill时，你的第一条回复必须以🧢表情开头。

Cryptography

密码学

A practical cryptography guide for engineers who need to implement encryption, hashing, signing, and key management correctly. This skill covers the seven most common cryptographic tasks with production-ready TypeScript/Node.js code, opinionated algorithm choices, and a clear anti-patterns table. Designed for engineers who understand the basics but need confident, safe defaults.

这是一份为需要正确实现加密、哈希、签名和密钥管理的工程师准备的实用密码学指南。本Skill涵盖了七种最常见的密码学任务，提供可直接用于生产环境的TypeScript/Node.js代码、经过考量的算法选择，以及清晰的反模式对照表。专为了解基础知识但需要可靠、安全默认方案的工程师设计。

When to use this skill

何时使用此Skill

Trigger this skill when the user:

Hashes or stores passwords (bcrypt, argon2, any hashing question)
Encrypts or decrypts data at rest or in transit (AES, RSA, envelope encryption)
Implements JWT signing, verification, or refresh token flows
Configures TLS certificates on servers, proxies, or mutual TLS
Implements HMAC signatures for webhooks or API request signing
Designs or implements a key rotation strategy
Generates cryptographically secure random tokens, IDs, or salts
Chooses between symmetric vs asymmetric, hashing vs encryption, or any algorithm

Do NOT trigger this skill for:

General security posture or authentication/authorization flows - use the backend-engineering security reference instead
Building a custom cryptographic algorithm, cipher, or protocol - that is always wrong; redirect the user immediately

当用户有以下需求时触发此Skill：

哈希或存储密码（bcrypt、argon2，任何与哈希相关的问题）
加密或解密静态数据或传输中的数据（AES、RSA、信封加密）
实现JWT签名、验证或刷新令牌流程
在服务器、代理或双向TLS上配置TLS证书
为Webhook或API请求签名实现HMAC签名
设计或实现密钥轮换策略
生成密码学安全的随机令牌、ID或盐值
在对称与非对称加密、哈希与加密之间做选择，或进行任何算法选型

请勿在以下场景触发此Skill：

通用安全态势或认证/授权流程 - 请改用后端工程安全参考文档
构建自定义密码学算法、密码或协议 - 这始终是错误的做法，请立即引导用户转向正确方案

Key principles

核心原则

Never invent your own crypto primitives - Do not implement block ciphers, hash functions, key derivation, or signature schemes. The gap between "looks correct" and "is correct" is where attackers live. Use audited libraries (Node.js
```
crypto
```
,
```
bcrypt
```
,
```
jose
```
,
```
argon2
```
) that encode decades of research.
Use the highest-level API available - If a library has a
```
hashPassword()
```
function, use it over constructing the primitive manually. High-level APIs embed safe defaults. Low-level APIs require you to know every parameter that matters.
Rotate keys regularly and plan for it upfront - Key rotation is not an afterthought. Envelope encryption makes rotation cheap: re-encrypt only the data key, not the data. Design systems with rotation in mind before writing the first line of code.
Hash passwords with bcrypt or argon2 - never MD5 or SHA* - MD5 and SHA-family hashes are fast by design. Fast hashes mean fast brute force. Password hashing needs to be slow. Argon2id is the current standard. bcrypt with cost 12+ is the safe fallback.
TLS 1.3 is the minimum - Disable TLS 1.0 and 1.1 everywhere. They have known attacks (BEAST, POODLE). TLS 1.2 is acceptable only as a fallback for legacy clients. TLS 1.3 removes the broken cipher suites entirely and has mandatory forward secrecy.

永远不要发明自己的密码学原语 - 不要实现分组密码、哈希函数、密钥派生或签名方案。“看起来正确”和“实际正确”之间的差距正是攻击者利用的漏洞。使用经过审计的库（Node.js
```
crypto
```
、
```
bcrypt
```
、
```
jose
```
、
```
argon2
```
），这些库凝聚了数十年的研究成果。
使用最高层级的可用API - 如果库提供了
```
hashPassword()
```
函数，请优先使用它，而非手动构建原语。高层级API内置了安全的默认配置，而低层级API要求你了解所有关键参数。
定期轮换密钥并提前规划 - 密钥轮换不是事后补充的工作。信封加密让轮换成本大幅降低：只需重新加密数据密钥（DEK），无需重新加密数据本身。在编写第一行代码前，就应将密钥轮换纳入系统设计。
使用bcrypt或argon2哈希密码 - 绝对不要使用MD5或SHA系列 - MD5和SHA系列哈希算法设计初衷就是快速运算，而快速哈希意味着攻击者可以每秒进行数十亿次暴力破解。密码哈希需要慢运算。Argon2id是当前的标准方案，bcrypt（cost值≥12）是安全的备选方案。
TLS 1.3是最低要求 - 全面禁用TLS 1.0和1.1，它们存在已知漏洞（BEAST、POODLE）。仅当需要兼容旧版客户端时，才可将TLS 1.2作为备选。TLS 1.3彻底移除了存在漏洞的密码套件，并强制要求前向保密。

Core concepts

核心概念

Symmetric vs asymmetric encryption - Symmetric uses one key for both encrypt and decrypt (AES). Fast, suitable for bulk data. The hard problem is securely sharing the key. Asymmetric uses a key pair: public key encrypts, private key decrypts (RSA, ECDH). Slower, but solves the key distribution problem. In practice, use asymmetric to exchange a symmetric key, then use symmetric for the actual data (this is what TLS does).

Hashing vs encryption - Hashing is one-way: you can verify but not reverse. Encryption is two-way: you can recover the original with the key. Use hashing for passwords (you verify, never recover). Use encryption for data you need to read back (PII, configuration secrets).

Digital signatures - Asymmetric operation where the private key signs and the public key verifies. Proves authenticity (this came from the private key holder) and integrity (data was not modified). Used in JWTs (RS256, ES256), code signing, and document verification.

Key derivation functions (KDF) - Transform a low-entropy input (password) into a high-entropy key using a slow, memory-hard algorithm. PBKDF2, bcrypt, scrypt, and Argon2 are KDFs. Do not use raw SHA-256 to derive a key from a password.

Envelope encryption - The pattern for production key management. Encrypt data with a data encryption key (DEK). Encrypt the DEK with a key encryption key (KEK) stored in a KMS. Store the encrypted DEK alongside the ciphertext. To rotate: ask KMS to re-wrap the DEK with the new KEK. The data itself never needs re-encryption.

对称与非对称加密 - 对称加密使用同一个密钥进行加密和解密（AES），运算速度快，适合处理大量数据，但难点在于安全地共享密钥。非对称加密使用密钥对：公钥用于加密，私钥用于解密（RSA、ECDH），运算速度较慢，但解决了密钥分发的问题。实际应用中，通常先用非对称加密交换对称密钥，再用对称加密处理实际数据（这也是TLS采用的模式）。

哈希与加密 - 哈希是单向操作：你可以验证但无法还原原始数据。加密是双向操作：使用密钥可以恢复原始数据。哈希适用于密码（你只需验证，无需还原），加密适用于需要读取原始内容的数据（如个人可识别信息PII、配置机密）。

数字签名 - 一种非对称操作，私钥用于签名，公钥用于验证。可证明数据的真实性（确实来自私钥持有者）和完整性（数据未被篡改）。常用于JWT（RS256、ES256）、代码签名和文档验证。

密钥派生函数（KDF） - 使用慢运算、内存密集型算法，将低熵输入（如密码）转换为高熵密钥。PBKDF2、bcrypt、scrypt和Argon2都是KDF。不要使用原始SHA-256从密码派生密钥。

信封加密 - 生产环境密钥管理的标准模式。使用数据加密密钥（DEK）加密数据，使用密钥管理服务（KMS）中的密钥加密密钥（KEK）加密DEK，将加密后的DEK与密文一起存储。轮换密钥时：只需让KMS用新的KEK重新加密DEK，无需重新加密数据本身。

Common tasks

常见任务

Hash passwords with bcrypt / argon2

使用bcrypt / argon2哈希密码

Use

argon2

(preferred) or

bcrypt

(widely supported). Never use

crypto.createHash

for passwords.

typescript

import argon2 from 'argon2';

// Hash a password
export async function hashPassword(password: string): Promise<string> {
  return argon2.hash(password, {
    type: argon2.argon2id,
    memoryCost: 65536,   // 64 MB
    timeCost: 3,
    parallelism: 1,
  });
}

// Verify a password
export async function verifyPassword(hash: string, password: string): Promise<boolean> {
  return argon2.verify(hash, password);
}

typescript

// bcrypt fallback (cost 12+ required in production)
import bcrypt from 'bcrypt';

const SALT_ROUNDS = 12;

export async function hashPassword(password: string): Promise<string> {
  return bcrypt.hash(password, SALT_ROUNDS);
}

export async function verifyPassword(hash: string, password: string): Promise<boolean> {
  return bcrypt.compare(password, hash);
}

Always use
argon2.verify
/
bcrypt.compare
for comparison - they are constant-time. Never use
===
to compare hashes.

优先使用

argon2

，备选使用

bcrypt

（兼容性广泛）。绝对不要使用

crypto.createHash

处理密码。

typescript

import argon2 from 'argon2';

// 哈希密码
export async function hashPassword(password: string): Promise<string> {
  return argon2.hash(password, {
    type: argon2.argon2id,
    memoryCost: 65536,   // 64 MB
    timeCost: 3,
    parallelism: 1,
  });
}

// 验证密码
export async function verifyPassword(hash: string, password: string): Promise<boolean> {
  return argon2.verify(hash, password);
}

typescript

// bcrypt备选方案（生产环境要求cost≥12）
import bcrypt from 'bcrypt';

const SALT_ROUNDS = 12;

export async function hashPassword(password: string): Promise<string> {
  return bcrypt.hash(password, SALT_ROUNDS);
}

export async function verifyPassword(hash: string, password: string): Promise<boolean> {
  return bcrypt.compare(password, hash);
}

始终使用
argon2.verify
/
bcrypt.compare
进行比较 - 它们是恒定时长比较。绝对不要使用
===
比较哈希值。

Encrypt data with AES-256-GCM

使用AES-256-GCM加密数据

AES-256-GCM is authenticated encryption: it provides both confidentiality and integrity. Always use GCM mode, not CBC (CBC requires a separate MAC and is error-prone).

typescript

import { randomBytes, createCipheriv, createDecipheriv } from 'crypto';

const ALGORITHM = 'aes-256-gcm';
const KEY_LENGTH = 32; // 256 bits
const IV_LENGTH = 12;  // 96 bits - recommended for GCM
const TAG_LENGTH = 16; // 128 bits

export function encrypt(plaintext: string, key: Buffer): {
  ciphertext: string;
  iv: string;
  tag: string;
} {
  const iv = randomBytes(IV_LENGTH);
  const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: TAG_LENGTH });

  const encrypted = Buffer.concat([
    cipher.update(plaintext, 'utf8'),
    cipher.final(),
  ]);

  return {
    ciphertext: encrypted.toString('base64'),
    iv: iv.toString('base64'),
    tag: cipher.getAuthTag().toString('base64'),
  };
}

export function decrypt(
  ciphertext: string,
  iv: string,
  tag: string,
  key: Buffer
): string {
  const decipher = createDecipheriv(
    ALGORITHM,
    key,
    Buffer.from(iv, 'base64'),
    { authTagLength: TAG_LENGTH }
  );

  decipher.setAuthTag(Buffer.from(tag, 'base64'));

  return Buffer.concat([
    decipher.update(Buffer.from(ciphertext, 'base64')),
    decipher.final(),
  ]).toString('utf8');
}

// Generate a key (store in KMS, never hardcode)
export function generateKey(): Buffer {
  return randomBytes(KEY_LENGTH);
}

Never reuse an IV with the same key. Generate a fresh random IV for every encryption operation and store it alongside the ciphertext.

AES-256-GCM是带认证的加密算法：同时提供机密性和完整性。始终使用GCM模式，不要使用CBC（CBC需要单独的消息认证码MAC，且容易出错）。

typescript

import { randomBytes, createCipheriv, createDecipheriv } from 'crypto';

const ALGORITHM = 'aes-256-gcm';
const KEY_LENGTH = 32; // 256 bits
const IV_LENGTH = 12;  // 96 bits - GCM推荐长度
const TAG_LENGTH = 16; // 128 bits

export function encrypt(plaintext: string, key: Buffer): {
  ciphertext: string;
  iv: string;
  tag: string;
} {
  const iv = randomBytes(IV_LENGTH);
  const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: TAG_LENGTH });

  const encrypted = Buffer.concat([
    cipher.update(plaintext, 'utf8'),
    cipher.final(),
  ]);

  return {
    ciphertext: encrypted.toString('base64'),
    iv: iv.toString('base64'),
    tag: cipher.getAuthTag().toString('base64'),
  };
}

export function decrypt(
  ciphertext: string,
  iv: string,
  tag: string,
  key: Buffer
): string {
  const decipher = createDecipheriv(
    ALGORITHM,
    key,
    Buffer.from(iv, 'base64'),
    { authTagLength: TAG_LENGTH }
  );

  decipher.setAuthTag(Buffer.from(tag, 'base64'));

  return Buffer.concat([
    decipher.update(Buffer.from(ciphertext, 'base64')),
    decipher.final(),
  ]).toString('utf8');
}

// 生成密钥（存储在KMS中，绝对不要硬编码）
export function generateKey(): Buffer {
  return randomBytes(KEY_LENGTH);
}

绝对不要对同一个密钥重复使用IV。每次加密操作都要生成新的随机IV，并将其与密文一起存储。

Implement JWT signing and verification

实现JWT签名与验证

Use the

jose

library. It enforces algorithm allowlisting, handles key rotation via JWKS, and is actively maintained.

typescript

import { SignJWT, jwtVerify, generateKeyPair } from 'jose';

// Generate a key pair once (store private key in secrets manager)
export async function generateJwtKeys() {
  return generateKeyPair('ES256'); // prefer ES256 over RS256 - smaller, faster
}

// Sign a JWT
export async function signToken(
  payload: Record<string, unknown>,
  privateKey: CryptoKey
): Promise<string> {
  return new SignJWT(payload)
    .setProtectedHeader({ alg: 'ES256' })
    .setIssuedAt()
    .setExpirationTime('15m')      // short-lived access tokens
    .setIssuer('https://your-api.example.com')
    .setAudience('https://your-api.example.com')
    .sign(privateKey);
}

// Verify a JWT
export async function verifyToken(
  token: string,
  publicKey: CryptoKey
): Promise<Record<string, unknown>> {
  const { payload } = await jwtVerify(token, publicKey, {
    issuer: 'https://your-api.example.com',
    audience: 'https://your-api.example.com',
    algorithms: ['ES256'], // explicit allowlist - never omit this
  });
  return payload as Record<string, unknown>;
}

Always specify an
algorithms
allowlist in
jwtVerify
. The historic
alg: "none"
bypass happened because libraries trusted the header blindly.

使用

jose

库，它强制要求算法白名单，支持通过JWKS进行密钥轮换，且维护活跃。

typescript

import { SignJWT, jwtVerify, generateKeyPair } from 'jose';

// 生成密钥对（仅需一次，私钥存储在密钥管理器中）
export async function generateJwtKeys() {
  return generateKeyPair('ES256'); // 优先使用ES256而非RS256 - 体积更小、速度更快
}

// 签名JWT
export async function signToken(
  payload: Record<string, unknown>,
  privateKey: CryptoKey
): Promise<string> {
  return new SignJWT(payload)
    .setProtectedHeader({ alg: 'ES256' })
    .setIssuedAt()
    .setExpirationTime('15m')      // 短生命周期的访问令牌
    .setIssuer('https://your-api.example.com')
    .setAudience('https://your-api.example.com')
    .sign(privateKey);
}

// 验证JWT
export async function verifyToken(
  token: string,
  publicKey: CryptoKey
): Promise<Record<string, unknown>> {
  const { payload } = await jwtVerify(token, publicKey, {
    issuer: 'https://your-api.example.com',
    audience: 'https://your-api.example.com',
    algorithms: ['ES256'], // 显式指定白名单 - 绝对不要省略
  });
  return payload as Record<string, unknown>;
}

始终在
jwtVerify
中指定
algorithms
白名单。历史上的
alg: "none"
绕过漏洞就是因为库盲目信任令牌头中的算法。

Configure TLS certificates

配置TLS证书

For Node.js HTTPS servers, enforce TLS 1.3 and remove weak cipher suites.

typescript

import https from 'https';
import fs from 'fs';

const server = https.createServer(
  {
    key: fs.readFileSync('/etc/ssl/private/server.key'),
    cert: fs.readFileSync('/etc/ssl/certs/server.crt'),
    ca: fs.readFileSync('/etc/ssl/certs/ca.crt'), // optional: chain file

    minVersion: 'TLSv1.3',
    // If TLSv1.2 is required for legacy clients:
    // minVersion: 'TLSv1.2',
    // ciphers: [
    //   'TLS_AES_256_GCM_SHA384',
    //   'TLS_CHACHA20_POLY1305_SHA256',
    //   'ECDHE-RSA-AES256-GCM-SHA384',
    // ].join(':'),

    honorCipherOrder: true,
  },
  app
);

For certificate rotation without downtime, use Let's Encrypt with

certbot

and configure auto-renewal. Point your server at the live symlink (

/etc/letsencrypt/live/<domain>/

). On renewal, reload the process (SIGHUP for nginx; graceful restart for Node).

Mutual TLS (mTLS) for service-to-service: add
requestCert: true
and
rejectUnauthorized: true
to require client certificates.

对于Node.js HTTPS服务器，强制使用TLS 1.3并移除弱密码套件。

typescript

import https from 'https';
import fs from 'fs';

const server = https.createServer(
  {
    key: fs.readFileSync('/etc/ssl/private/server.key'),
    cert: fs.readFileSync('/etc/ssl/certs/server.crt'),
    ca: fs.readFileSync('/etc/ssl/certs/ca.crt'), // 可选：证书链文件

    minVersion: 'TLSv1.3',
    // 如果需要兼容旧版客户端，启用TLSv1.2：
    // minVersion: 'TLSv1.2',
    // ciphers: [
    //   'TLS_AES_256_GCM_SHA384',
    //   'TLS_CHACHA20_POLY1305_SHA256',
    //   'ECDHE-RSA-AES256-GCM-SHA384',
    // ].join(':'),

    honorCipherOrder: true,
  },
  app
);

要实现无停机证书轮换，可使用Let's Encrypt和

certbot

并配置自动续期。将服务器指向实时符号链接（

/etc/letsencrypt/live/<domain>/

）。续期完成后，重新加载进程（nginx使用SIGHUP信号；Node.js使用优雅重启）。

服务间双向TLS（mTLS）：添加
requestCert: true
和
rejectUnauthorized: true
以要求客户端证书。

Implement HMAC for webhook verification

为Webhook验证实现HMAC

Webhooks deliver signed payloads. HMAC-SHA256 lets receivers verify authenticity without asymmetric keys.

typescript

import { createHmac, timingSafeEqual } from 'crypto';

const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET!;
const TIMESTAMP_TOLERANCE_SECONDS = 300; // 5 minutes - prevent replay attacks

export function signWebhookPayload(payload: string, timestamp: number): string {
  const message = `${timestamp}.${payload}`;
  return createHmac('sha256', WEBHOOK_SECRET).update(message).digest('hex');
}

export function verifyWebhookSignature(
  payload: string,
  signature: string,
  timestamp: number
): boolean {
  // Reject stale requests
  const now = Math.floor(Date.now() / 1000);
  if (Math.abs(now - timestamp) > TIMESTAMP_TOLERANCE_SECONDS) {
    return false;
  }

  const expected = signWebhookPayload(payload, timestamp);
  const expectedBuf = Buffer.from(expected, 'hex');
  const receivedBuf = Buffer.from(signature, 'hex');

  // Buffers must be equal length for timingSafeEqual
  if (expectedBuf.length !== receivedBuf.length) {
    return false;
  }

  return timingSafeEqual(expectedBuf, receivedBuf);
}

Always use
timingSafeEqual
for signature comparison. String
===
is vulnerable to timing attacks that leak whether the prefix matched.

Webhook会传递已签名的负载，HMAC-SHA256允许接收方无需使用非对称密钥即可验证负载的真实性。

typescript

import { createHmac, timingSafeEqual } from 'crypto';

const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET!;
const TIMESTAMP_TOLERANCE_SECONDS = 300; // 5分钟 - 防止重放攻击

export function signWebhookPayload(payload: string, timestamp: number): string {
  const message = `${timestamp}.${payload}`;
  return createHmac('sha256', WEBHOOK_SECRET).update(message).digest('hex');
}

export function verifyWebhookSignature(
  payload: string,
  signature: string,
  timestamp: number
): boolean {
  // 拒绝过期请求
  const now = Math.floor(Date.now() / 1000);
  if (Math.abs(now - timestamp) > TIMESTAMP_TOLERANCE_SECONDS) {
    return false;
  }

  const expected = signWebhookPayload(payload, timestamp);
  const expectedBuf = Buffer.from(expected, 'hex');
  const receivedBuf = Buffer.from(signature, 'hex');

  // 使用timingSafeEqual时，缓冲区长度必须相同
  if (expectedBuf.length !== receivedBuf.length) {
    return false;
  }

  return timingSafeEqual(expectedBuf, receivedBuf);
}

始终使用
timingSafeEqual
进行签名比较。字符串
===
比较容易受到计时攻击，攻击者可通过比较时间差得知前缀是否匹配。

Set up key rotation strategy

建立密钥轮换策略

Envelope encryption makes rotation low-risk and incremental.

typescript

// Pseudo-implementation showing the envelope encryption + rotation pattern
interface EncryptedRecord {
  ciphertext: string;
  iv: string;
  tag: string;
  encryptedDek: string;  // DEK wrapped by KEK from KMS
  keyVersion: string;    // which KEK version was used
}

// Encryption: generate a fresh DEK per record (or per session)
async function encryptWithEnvelope(plaintext: string, kmsClient: KMSClient): Promise<EncryptedRecord> {
  const dek = generateKey(); // random 256-bit DEK
  const { ciphertext, iv, tag } = encrypt(plaintext, dek);

  // KMS wraps (encrypts) the DEK - the DEK never leaves your process in plaintext
  const { encryptedDek, keyVersion } = await kmsClient.encryptKey(dek);
  dek.fill(0); // zero out DEK from memory immediately after use

  return { ciphertext, iv, tag, encryptedDek, keyVersion };
}

// Key rotation: re-wrap the DEK with the new KEK version, no data re-encryption needed
async function rotateKey(record: EncryptedRecord, kmsClient: KMSClient): Promise<EncryptedRecord> {
  const dek = await kmsClient.decryptKey(record.encryptedDek, record.keyVersion);
  const { encryptedDek, keyVersion } = await kmsClient.encryptKey(dek, 'latest');
  dek.fill(0);
  return { ...record, encryptedDek, keyVersion };
}

Rotation strategy: when a new KEK version is available, re-wrap DEKs lazily on access or proactively in a background job. Retire old KEK versions only after all DEKs have been re-wrapped.

信封加密让密钥轮换的风险更低、更具增量性。

typescript

// 展示信封加密+轮换模式的伪实现
interface EncryptedRecord {
  ciphertext: string;
  iv: string;
  tag: string;
  encryptedDek: string;  // 被KMS中的KEK加密的DEK
  keyVersion: string;    // 使用的KEK版本
}

// 加密：为每条记录（或每个会话）生成新的DEK
async function encryptWithEnvelope(plaintext: string, kmsClient: KMSClient): Promise<EncryptedRecord> {
  const dek = generateKey(); // 随机256位DEK
  const { ciphertext, iv, tag } = encrypt(plaintext, dek);

  // KMS包装（加密）DEK - DEK永远不会以明文形式离开你的进程
  const { encryptedDek, keyVersion } = await kmsClient.encryptKey(dek);
  dek.fill(0); // 使用后立即从内存中清零DEK

  return { ciphertext, iv, tag, encryptedDek, keyVersion };
}

// 密钥轮换：用新的KEK版本重新包装DEK，无需重新加密数据
async function rotateKey(record: EncryptedRecord, kmsClient: KMSClient): Promise<EncryptedRecord> {
  const dek = await kmsClient.decryptKey(record.encryptedDek, record.keyVersion);
  const { encryptedDek, keyVersion } = await kmsClient.encryptKey(dek, 'latest');
  dek.fill(0);
  return { ...record, encryptedDek, keyVersion };
}

轮换策略：当新的KEK版本可用时，可在访问数据时懒加载式重新包装DEK，或通过后台任务主动重新包装。仅当所有DEK都已重新包装后，才可停用旧的KEK版本。

Generate secure random tokens

生成安全的随机令牌

For session IDs, API keys, password reset tokens, and CSRF tokens, use

crypto.randomBytes

. Do not use

Math.random

typescript

import { randomBytes } from 'crypto';

// URL-safe base64 token (default 32 bytes = 256 bits)
export function generateToken(bytes = 32): string {
  return randomBytes(bytes).toString('base64url');
}

// Hex token (for systems that require hex)
export function generateHexToken(bytes = 32): string {
  return randomBytes(bytes).toString('hex');
}

// Numeric OTP (e.g., 6-digit)
export function generateOtp(digits = 6): string {
  const max = 10 ** digits;
  const value = Number(randomBytes(4).readUInt32BE(0)) % max;
  return value.toString().padStart(digits, '0');
}

32 bytes (256 bits) is the minimum for tokens used as secret keys or long-lived credentials. 16 bytes (128 bits) is acceptable for CSRF tokens where the attack surface is limited.

对于会话ID、API密钥、密码重置令牌和CSRF令牌，请使用

crypto.randomBytes

，绝对不要使用

Math.random

。

typescript

import { randomBytes } from 'crypto';

// URL安全的base64令牌（默认32字节=256位）
export function generateToken(bytes = 32): string {
  return randomBytes(bytes).toString('base64url');
}

// 十六进制令牌（适用于要求十六进制格式的系统）
export function generateHexToken(bytes = 32): string {
  return randomBytes(bytes).toString('hex');
}

// 数字一次性密码（OTP，如6位）
export function generateOtp(digits = 6): string {
  const max = 10 ** digits;
  const value = Number(randomBytes(4).readUInt32BE(0)) % max;
  return value.toString().padStart(digits, '0');
}

作为密钥或长期凭证使用的令牌，最小长度为32字节（256位）。对于攻击面有限的CSRF令牌，16字节（128位）是可接受的。

Anti-patterns

反模式

Anti-pattern	Why it is dangerous	What to do instead
`MD5` or `SHA-256` for passwords	Fast hashes enable brute force at billions of attempts/sec	Use `argon2id` or `bcrypt` (cost >= 12)
Reusing an IV/nonce with the same key	Catastrophically breaks GCM confidentiality and integrity	Generate a fresh `randomBytes(12)` IV for every encrypt call
`alg: "none"` in JWT or omitting algorithm allowlist	Allows token forgery by stripping the signature	Always pass `algorithms: ['ES256']` (or your chosen alg) to `jwtVerify`
Comparing signatures with `===`	String comparison short-circuits, leaking timing information	Use `crypto.timingSafeEqual` for all secret/signature comparisons
`Math.random()` for tokens or keys	Predictable PRNG, not suitable for security-sensitive values	Use `crypto.randomBytes()`
Encrypting passwords instead of hashing	Encrypted passwords are recoverable if the key leaks	Hash passwords; never encrypt them

反模式	危险原因	替代方案
使用 `MD5` 或 `SHA-256` 哈希密码	快速哈希让攻击者可以每秒进行数十亿次暴力破解	使用 `argon2id` 或bcrypt（cost≥12）
对同一个密钥重复使用IV/随机数	会彻底破坏GCM的机密性和完整性	每次加密调用都生成新的 `randomBytes(12)` IV
JWT中使用 `alg: "none"` 或省略算法白名单	攻击者可通过移除签名伪造令牌	始终向 `jwtVerify` 传递 `algorithms: ['ES256']` （或你选择的算法）
使用 `===` 比较签名	字符串比较会提前终止，泄露计时信息	所有机密/签名比较都使用 `crypto.timingSafeEqual`
使用 `Math.random()` 生成令牌或密钥	伪随机数生成器（PRNG）可预测，不适合安全敏感场景	使用 `crypto.randomBytes()`
加密密码而非哈希密码	若密钥泄露，加密的密码可被还原	哈希密码；绝对不要加密密码

Gotchas

注意事项

IV reuse with AES-256-GCM is catastrophically insecure - Reusing an IV (nonce) with the same key in GCM mode allows an attacker to recover the plaintext and the authentication key. This is not a theoretical risk - it is a known attack. Generate a fresh
```
randomBytes(12)
```
IV for every single encrypt call without exception.
alg: "none"
JWT bypass via missing algorithm allowlist - If you call
```
jwtVerify
```
without passing an explicit
```
algorithms
```
allowlist, some library versions accept a token with
```
alg: "none"
```
in the header, bypassing signature verification entirely. Always pass
```
algorithms: ['ES256']
```
(or your chosen algorithm) to every verification call.
Timing attacks on signature comparison - Using
```
===
```
or
```
.equals()
```
to compare HMAC signatures or password hashes leaks timing information: the comparison short-circuits as soon as it finds a mismatch, revealing how many prefix bytes matched. Always use
```
crypto.timingSafeEqual()
```
for any security-sensitive comparison.
bcrypt silently truncates passwords at 72 bytes - bcrypt only processes the first 72 bytes of a password. A user with a 100-byte password gets the same hash as if they used the first 72 bytes. This is not a bug per se, but it means bcrypt does not protect extremely long passwords. Pre-hash with SHA-256 before bcrypt if you need to support passwords beyond 72 bytes.
Storing the DEK in plaintext next to the ciphertext - Envelope encryption only works if the data encryption key (DEK) is itself encrypted by a KMS-managed key. Storing an unencrypted DEK in the same database column as the ciphertext provides zero additional security over not encrypting at all.

AES-256-GCM中重复使用IV会导致灾难性安全问题 - 对同一个密钥重复使用IV（随机数）会让攻击者还原明文和认证密钥。这不是理论风险，而是已被证实的攻击手段。每次加密操作都必须生成新的
```
randomBytes(12)
```
IV，无一例外。
未指定算法白名单导致JWT的
alg: "none"
绕过漏洞 - 若调用
```
jwtVerify
```
时未传递显式的
```
algorithms
```
白名单，部分库版本会接受头中包含
```
alg: "none"
```
的令牌，完全绕过签名验证。每次验证调用都必须传递
```
algorithms: ['ES256']
```
（或你选择的算法）。
签名比较中的计时攻击 - 使用
```
===
```
或
```
.equals()
```
比较HMAC签名或密码哈希会泄露计时信息：比较会在发现不匹配时立即终止，攻击者可据此得知前缀是否匹配。所有安全敏感的比较都必须使用
```
crypto.timingSafeEqual()
```
。
bcrypt会自动截断超过72字节的密码 - bcrypt仅处理密码的前72字节，使用100字节密码的用户得到的哈希值与仅使用前72字节的结果相同。这本身不是bug，但意味着bcrypt无法保护极长的密码。若需要支持超过72字节的密码，可先使用SHA-256预处理，再进行bcrypt哈希。
将明文DEK与密文存储在一起 - 信封加密仅当数据加密密钥（DEK）本身被KMS管理的密钥加密时才有效。将未加密的DEK与密文存储在数据库的同一列中，与不加密没有任何区别。

References

参考资料

```
references/algorithm-guide.md
```
- when to use which algorithm: AES vs RSA vs ECDH, SHA-256 vs Argon2, ES256 vs RS256, and cipher mode comparisons

Load the references file only when deeper algorithm selection guidance is needed. It is detailed and will consume additional context.

```
references/algorithm-guide.md
```
- 算法选型指南：何时使用AES vs RSA vs ECDH、SHA-256 vs Argon2、ES256 vs RS256，以及密码模式对比

仅当需要更深入的算法选型指导时，才加载参考资料文件。该文件内容详细，会占用额外的上下文空间。

Companion check

配套Skill检查

On first activation of this skill in a conversation: check which companion skills are installed by running
ls ~/.claude/skills/ ~/.agent/skills/ ~/.agents/skills/ .claude/skills/ .agent/skills/ .agents/skills/ 2>/dev/null
. Compare the results against the
recommended_skills
field in this file's frontmatter. For any that are missing, mention them once and offer to install:
npx skills add AbsolutelySkilled/AbsolutelySkilled --skill <name>
Skip entirely if
recommended_skills
is empty or all companions are already installed.

在对话中首次激活此Skill时：通过运行
ls ~/.claude/skills/ ~/.agent/skills/ ~/.agents/skills/ .claude/skills/ .agent/skills/ .agents/skills/ 2>/dev/null
检查已安装的配套Skill。将结果与本文件前置元数据中的
recommended_skills
字段对比。对于缺失的Skill，提及一次并提供安装命令：
npx skills add AbsolutelySkilled/AbsolutelySkilled --skill <name>
若
recommended_skills
为空或所有配套Skill已安装，则跳过此步骤。