[liberationtech] Fwd: SafeGDocs: encrypted documents in Google Drive

Carmela Troncoso ctroncoso at gradiant.org
Thu Apr 18 02:24:01 PDT 2013 

Hi Steve,

thanks so much for your feedback. We will change the AES implementation
asap, and Stanford's JS Crypto is a perfect candidate. Thanks for
pointing it out.

We have looked at the SecureDocs project, but the code at their web only
works with old Firefox version. Do you know whether the authors plan to
release a new version according to the SPCC 2012 paper?

Kind regards,
Carmela


On 14/04/2013 1:09, Steve Weis wrote:
> Hi. SafeGDocs appears to use a unsafe implementation of AES-CTR mode
> from here:
> http://www.movable-type.co.uk/scripts/aes.html
>
> Two problems with this library:
> - It generates a predictable CTR mode IV using time of day.
> - There is apparently no authentication of the ciphertext, which in
> CTR mode means you can trivially modify messages.
>
> The SafeGDocs overlay.js that calls the Movable Type AES library has
> been minified for no apparent reason. I didn't bother to unminify it
> to look at it.
>
> This similar project, SecureDocs, happens to use the same library, but
> only for a key derivation function. They're using Stanford's JS Crypto
> for the actual encryption: http://www.mightbeevil.com/securedocs/
>
> I haven't looked at SecureDocs in depth, but Nate Lawson gave it a
> thumbs up:
> http://rdist.root.org/2011/05/09/encrypted-google-docs-done-well/
>
>
> On Sat, Apr 13, 2013 at 8:12 AM, Michael Rogers
> <michael at briarproject.org <mailto:michael at briarproject.org>> wrote:
>
>     -------- Original Message --------
>     Date:   Mon, 08 Apr 2013 11:03:51 +0200
>     From:   Carmela Troncoso <ctroncoso at gradiant.org
>     <mailto:ctroncoso at gradiant.org>>
>     To:     pet at lists.links.org <mailto:pet at lists.links.org>
>
>     Hello everybody,
>
>     in the last year we have been developing at Gradiant
>     (http://www.gradiant.org/en.html) a Firefox addon that allows users to
>     easily encrypt and share documents in Google Drive in such a way that
>     data is not accessible to the service provider. We are now releasing a
>     version and would love to have the feedback of the community both
>     about
>     its usability and security.
>
>     You can download the addon here:
>     http://www.safegdocs.com/en/home.html
>
>     and find the associated academic papers here:
>     http://www.gradiant.org/images/stories/2010_cloudviews_googledocsprivacy.pdf
>     http://www.gradiant.org/images/stories/sharing_secure_documents_in_the_cloud.pdf
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130418/63d48000/attachment.html>

More information about the liberationtech mailing list