Password Key Derivation with Unicode Support

Build a password key derivation utility that handles Unicode passwords correctly to ensure consistent key generation across different platforms and input methods.

Background

Users may enter passwords using different input methods, keyboard layouts, or copy-paste from various sources. This can result in visually identical passwords that are actually represented differently at the byte level (e.g., composed vs decomposed Unicode characters). Your utility must normalize these inputs to ensure the same password always generates the same cryptographic key.

Requirements

Create a module that derives cryptographic keys from passwords with proper Unicode handling:

1. Normalize Unicode inputs: Apply proper Unicode normalization to both password and salt before key derivation
2. Generate consistent keys: Ensure the same visual password always produces the same key, regardless of Unicode composition
3. Use appropriate parameters: Apply suitable scrypt parameters (N=1024, r=8, p=1, dkLen=32)
4. Return hex-encoded keys: Output keys as hexadecimal strings for easy comparison

The module should provide a synchronous function that takes a password string and salt string, normalizes them properly, and returns a hex-encoded derived key.

Implementation

@generates

API

/**
 * Derives a cryptographic key from a password using scrypt with proper Unicode normalization.
 *
 * @param {string} password - The password string (may contain Unicode characters)
 * @param {string} salt - The salt string (may contain Unicode characters)
 * @returns {string} The derived key as a hexadecimal string
 */
function deriveKey(password, salt) {
  // IMPLEMENTATION HERE
}

module.exports = { deriveKey };

Test Cases

Handles composed vs decomposed Unicode

• Given password "café" (composed é: U+00E9) and password "café" (decomposed e+´: U+0065 U+0301), both should produce identical derived keys when normalized. @test

Handles compatibility characters

• Given password "file" (ligature fi: U+FB01) and password "file" (separate f+i), both should produce identical keys after NFKC normalization. @test

Produces consistent keys

• Deriving a key from password "test123" with salt "randomsalt" twice should produce the exact same hex string both times. @test

Handles ASCII passwords

• ASCII-only password "SimplePass123" with salt "salt" should successfully derive a key as a 64-character hex string (32 bytes). @test

Dependencies { .dependencies }

scrypt-js { .dependency }

Provides the scrypt password-based key derivation function.

@satisfied-by