Skip to content

README.md

Latest commit

 

History

History
79 lines (58 loc) · 5.1 KB

README.md

File metadata and controls

79 lines (58 loc) · 5.1 KB

3ncr.org

A standard for string encryption / decryption — algorithms plus a storage format — designed for encrypting tokens in configuration files, but usable for any UTF-8 string.

Version 1 uses AES-256-GCM for authenticated encryption with a 12-byte random IV and a 16-byte GCM tag:

3ncr.org/1#<base64(iv[12] || ciphertext || tag[16])>

Example:

3ncr.org/1#GBNhVAcPC83EgKB+TnH1cZbJbkMhbP0GsJ1ctSZZXTErnScw

The envelope is KDF-agnostic — it does not prescribe how the 32-byte AES key is obtained. Libraries accept a raw 32-byte key and expose Argon2id convenience factories for low-entropy secrets (passwords). A legacy PBKDF2-SHA3 constructor survives in Go, Node, and PHP for decrypting data produced before the Argon2id decision; new-language implementations ship only the three recommended tiers (raw key, SHA3-256, Argon2id).

Full specification + canonical test vectors: https://3ncr.org/1/ Browser demo: https://3ncr.org/1/demo/

Official implementations

Language Repo CI Registry Min toolchain
Go tokencrypt CI Go Reference Go 1.25
Node.js nodencrypt CI npm Node 20
PHP tokencrypt-php CI Packagist PHP 8.1
Python tokencrypt-python CI PyPI Python 3.9
Rust tokencrypt-rust CI crates.io Rust 1.85
Java tokencrypt-java CI Maven Central JDK 17
C# / .NET tokencrypt-csharp CI NuGet .NET 8
Ruby tokencrypt-ruby CI Gem Ruby 3.1

Quick install

go get github.com/3ncr/tokencrypt
npm install nodencrypt
composer require 3ncr/tokencrypt-php
pip install 3ncr           # imports as `threencr` (PyPI dist names accept digits, Python identifiers don't)
cargo add threencr          # crates.io rejects digit-first names, so the Rust crate is `threencr`
gem install 3ncr           # imports as `Threencr::TokenCrypt`

Java (Maven Central) and C# / .NET (NuGet) coordinates are pending first publish.

API

Every library exposes the same two-method API:

  • encrypt3ncr(plaintext) -> string — returns a 3ncr.org/1#… envelope.
  • decryptIf3ncr(input) -> string — decrypts 3ncr.org/1#… input; returns any other input unchanged.

Exact naming varies per language (TokenCrypt, NodenCrypt, etc.); see each README for constructor details.

All libraries are MIT-licensed.

Reporting a vulnerability

Every 3ncr repository has Private Vulnerability Reporting enabled — use the Security tab on the repo and click Report a vulnerability to open a private draft advisory visible only to maintainers. Please do not file public issues for suspected security problems. See each repo's SECURITY.md for the disclosure policy and response-time expectations.

Maintainer

Maintained by Andrian Budantsov.