Skip to content

Security: MDP-Studio/crypto-toolkit

Security

SECURITY.md

Security Policy

Scope

CryptoToolkit is an educational tool. The cryptographic implementations are designed for learning and are explicitly not suitable for production use.

Known non-production characteristics:

  • BigInt arithmetic is not constant-time (timing leaks proportional to operand size)
  • Key material is not zeroized after use
  • No formal verification or side-channel analysis has been performed
  • generateRandomPrime draws fresh CSPRNG candidates per iteration (FIPS 186-5 §B.3.3 compliant), but uses software Miller-Rabin rather than hardware-accelerated primality testing
  • GHASH length encoding uses 32-bit JS bitwise operations (correct for inputs < 268MB)

Reporting a Vulnerability

If you find a correctness bug in a cryptographic implementation (wrong output for a known test vector, an attack demo that doesn't actually compute what it claims, or a security header misconfiguration):

  1. Open a GitHub issue — this is an educational project, not production infrastructure, so responsible disclosure timelines don't apply
  2. Include: what you expected, what you got, and which test vector or spec section applies
  3. If you have a fix, PRs are welcome

Audit History

This codebase has been through 6 internal audit sweeps covering:

  • FIPS 197 / SP 800-38D test vector verification (AES, GCM)
  • FIPS 180-4 test vector verification (SHA-256)
  • RFC 4231 test vector verification (HMAC-SHA256)
  • Miller-Rabin correctness against Carmichael numbers
  • CSP header verification against deployed headers
  • Coolify nginx parity checks against public/_headers, vercel.json, and deploy/nginx.coolify.conf
  • Edge-transform prevention for HTML so a proxy cannot inject analytics code outside the reviewed CSP and no-tracking boundary
  • CSPRNG usage audit (Math.random banned via ESLint)
  • Dependency placement audit (build tools in devDependencies)
  • BigInt falsy-zero audit (0n is falsy in JS)
  • Release transparency audit (SBOM, checksums, and local provenance checklist)
  • Crypto-agility inventory and misuse-decision coverage (versioning, downgrade rejection, protocol ownership, PQC prioritization, and rollback)

The crypto-agility lab is design education. It does not implement post-quantum algorithms, replace browser or provider TLS, or certify a migration plan. Production migration requires supported libraries, protocol-owner coordination, interoperability evidence, staged telemetry, and an approved rollback policy.

Findings and resolutions are tracked in tasks/todo.md.

There aren't any published security advisories