Nexus SecOps -- Crypto Toolkit

Cryptographic Hash

Input text (UTF-8 encoded before hashing) Algorithm

Hex

Base64

MD5 is intentionally NOT included — Web Crypto does not support it. Use a dedicated MD5 library for legacy compat ONLY (forensic file matching, etc.); never for security.

HMAC (Keyed Hash)

Message Key (UTF-8) Hash algorithm

Hex

Base64

HMAC is the right primitive for: API request signing (AWS SigV4 derivative), webhook authenticity (Stripe, GitHub), session-cookie integrity. Use HMAC-SHA-256 by default.

AES-GCM Encryption (Authenticated)

Plaintext Key (hex; 32 chars = AES-128, 64 chars = AES-256) IV / nonce (hex, 24 chars = 12 bytes) Additional Authenticated Data (optional)

Ciphertext + Tag (hex)

Hex

Base64

Decrypted plaintext (UTF-8)

AES-GCM provides confidentiality AND integrity. Never reuse an (key, IV) pair. The 16-byte authentication tag is appended to the ciphertext by Web Crypto.

RSA-OAEP Key Generation + Encryption

Generate an RSA key pair, then encrypt small payloads with the public key (max ~190 bytes for 2048-bit OAEP-SHA-256). For large payloads, hybrid encryption (AES key wrapped with RSA) is the standard pattern.

Key size Public key (SPKI / base64)

Private key (PKCS#8 / base64)

Plaintext (max ~190 bytes for 2048-bit OAEP) Ciphertext (base64)

Decrypted plaintext

RSA-OAEP is for small payloads (key wrapping, short messages). For data, use hybrid: generate AES key → encrypt data with AES → wrap AES key with RSA. The Web Crypto API does not expose hybrid encryption directly; use the AES tab + RSA tab in sequence.

Encoding / Decoding

Input

Output

Cryptographically Secure Random

Uses crypto.getRandomValues() backed by the OS CSPRNG. Suitable for keys, IVs, salts, tokens, session IDs.

Number of bytes Output format Output

Cryptographic Hash

HMAC (Keyed Hash)

AES-GCM Encryption (Authenticated)

RSA-OAEP Key Generation + Encryption

Encoding / Decoding

Cryptographically Secure Random

Common preset sizes