[liberationtech] pgp message encryption and decrypion using just a browser
Steve Weis
steveweis at gmail.com
Mon Oct 4 10:56:56 PDT 2010
I took a look at the source. The AES implementation is by Fritz
Schneider, who has a background in crypto, security, and Javascript.
That code was written in 2001, so I'd expect it to have received a
decent level of scrutiny.
However, the rest of the integration has several issues:
1. It uses a plain MD5 digest for authentication, rather than a MAC.
This is a weak integrity check and not strong authentication.
2. It computes the authentication over the plaintext, rather than the
ciphertext.
3. The IV is not authenticated.
4. The digest verification is vulnerable to a timing attack.
5. It has its own PRNG and entropy gathering implementations. I don't
see an immediate issue, but these are hard to get right.
I think #1 & #3 leave could leave it open to a chosen ciphertext
attack and #2 may make it vulnerable to a padding attack. These can't
be fixed without throwing out the existing ciphertext format. #4 may
not be an issue in this setting.
I do not consider this safe to use.
On Mon, Oct 4, 2010 at 6:06 AM, Frank Corrigan
<email at franciscorrigan.com> wrote:
> As a compromise, I have found:
> http://www.fourmilab.ch/javascrypt/jscrypt.html
>
> to be a useful symmetrical encryption and decryption of text facility
> and a full copy can be downloaded as one archived .zip file and used
> offline:
> http://www.fourmilab.ch/javascrypt/javascrypt.zip
>
> Thanks
> Frank
>
> ----- Original message -----
> From: "Frank Corrigan" <email at franciscorrigan.com>
> To: "liberationtech at lists.stanford.edu"
> <liberationtech at lists.stanford.edu>
> Date: Thu, 30 Sep 2010 14:24:04 +0100
> Subject: Re: [liberationtech] pgp message encryption and decrypion using
> just a browser
>
> Below are details of the discussion I have been having with Herbert
> Hanewinkel <mail at hanewin.de> the developer of
> http://www.hanewin.net/encrypt/PGcrypt.htm and hope sharing will shed
> some light on the issues being raised.
>
> Frank
>
> In reverse chronology:
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
More information about the liberationtech
mailing list