[liberationtech] Fwd: SafeGDocs: encrypted documents in Google Drive
Steve Weis
steveweis at gmail.com
Sat Apr 13 16:09:31 PDT 2013
Hi. SafeGDocs appears to use a unsafe implementation of AES-CTR mode from
here:
http://www.movable-type.co.uk/scripts/aes.html
Two problems with this library:
- It generates a predictable CTR mode IV using time of day.
- There is apparently no authentication of the ciphertext, which in CTR
mode means you can trivially modify messages.
The SafeGDocs overlay.js that calls the Movable Type AES library has been
minified for no apparent reason. I didn't bother to unminify it to look at
it.
This similar project, SecureDocs, happens to use the same library, but only
for a key derivation function. They're using Stanford's JS Crypto for the
actual encryption: http://www.mightbeevil.com/securedocs/
I haven't looked at SecureDocs in depth, but Nate Lawson gave it a thumbs
up:
http://rdist.root.org/2011/05/09/encrypted-google-docs-done-well/
On Sat, Apr 13, 2013 at 8:12 AM, Michael Rogers <michael at briarproject.org>wrote:
> -------- Original Message --------
> Date: Mon, 08 Apr 2013 11:03:51 +0200
> From: Carmela Troncoso <ctroncoso at gradiant.org>
> To: pet at lists.links.org
>
> Hello everybody,
>
> in the last year we have been developing at Gradiant
> (http://www.gradiant.org/en.html) a Firefox addon that allows users to
> easily encrypt and share documents in Google Drive in such a way that
> data is not accessible to the service provider. We are now releasing a
> version and would love to have the feedback of the community both about
> its usability and security.
>
> You can download the addon here:
> http://www.safegdocs.com/en/home.html
>
> and find the associated academic papers here:
>
> http://www.gradiant.org/images/stories/2010_cloudviews_googledocsprivacy.pdf
>
> http://www.gradiant.org/images/stories/sharing_secure_documents_in_the_cloud.pdf
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130413/1fb8add3/attachment.html>
More information about the liberationtech
mailing list