[liberationtech] pgp message encryption and decrypion using just a browser
Frank Corrigan
email at franciscorrigan.com
Tue Oct 5 04:07:47 PDT 2010
Thanks Steve, your detailed analysis is much appreciated.
Do you think that most of these risks your have highlighted are
mitigated against if http://www.fourmilab.ch/javascrypt/jscrypt.html is
downloaded locally and only used offline, under say the Private browsing
mode of FireFox or within VM or LiveCD/USB?
As far as I can understand from the websites blurb, the text messages
are encrypted by a 256 bit shared key. Should an attacker get hold of
just the encrypted message and the shared key has not been compromised
it should still be quite difficult to crack the message?
Frank
Ref: * A collection of Web pages and programs in the JavaScript language
perform military-grade encryption (256 bit secret key AES) entirely
within your Web browser--you needn't download nor install any software,
and nothing is sent to any Web site when you encrypt or decrypt a
message. You can download the page source and JavaScript programs to
your own computer and use them even when not connected to the Internet.
http://www.fourmilab.ch/nav/topics/crypto.html
----- Original message -----
From: "Steve Weis" <steveweis at gmail.com>
To: "Frank Corrigan" <email at franciscorrigan.com>
Cc: "liberationtech at lists.stanford.edu"
<liberationtech at lists.stanford.edu>
Date: Mon, 4 Oct 2010 10:56:56 -0700
Subject: Re: [liberationtech] pgp message encryption and decrypion using
just a browser
I took a look at the source. The AES implementation is by Fritz
Schneider, who has a background in crypto, security, and Javascript.
That code was written in 2001, so I'd expect it to have received a
decent level of scrutiny.
However, the rest of the integration has several issues:
1. It uses a plain MD5 digest for authentication, rather than a MAC.
This is a weak integrity check and not strong authentication.
2. It computes the authentication over the plaintext, rather than the
ciphertext.
3. The IV is not authenticated.
4. The digest verification is vulnerable to a timing attack.
5. It has its own PRNG and entropy gathering implementations. I don't
see an immediate issue, but these are hard to get right.
I think #1 & #3 leave could leave it open to a chosen ciphertext
attack and #2 may make it vulnerable to a padding attack. These can't
be fixed without throwing out the existing ciphertext format. #4 may
not be an issue in this setting.
I do not consider this safe to use.
On Mon, Oct 4, 2010 at 6:06 AM, Frank Corrigan
<email at franciscorrigan.com> wrote:
> As a compromise, I have found:
> http://www.fourmilab.ch/javascrypt/jscrypt.html
>
> to be a useful symmetrical encryption and decryption of text facility
> and a full copy can be downloaded as one archived .zip file and used
> offline:
> http://www.fourmilab.ch/javascrypt/javascrypt.zip
>
> Thanks
> Frank
>
> ----- Original message -----
> From: "Frank Corrigan" <email at franciscorrigan.com>
> To: "liberationtech at lists.stanford.edu"
> <liberationtech at lists.stanford.edu>
> Date: Thu, 30 Sep 2010 14:24:04 +0100
> Subject: Re: [liberationtech] pgp message encryption and decrypion using
> just a browser
>
> Below are details of the discussion I have been having with Herbert
> Hanewinkel <mail at hanewin.de> the developer of
> http://www.hanewin.net/encrypt/PGcrypt.htm and hope sharing will shed
> some light on the issues being raised.
>
> Frank
>
> In reverse chronology:
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
More information about the liberationtech
mailing list