Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Encipher.it

Steve Weis steveweis at gmail.com
Wed Jun 19 10:06:34 PDT 2013


I have one correction to my quick look at the encipher.it code. I had
misread this line:
"hmac = hex_hmac_sha1(key, _this.text);" in https://encipher.it/javascripts/
encipher.js

I did not notice the second parameter and thought this was just MACing a
key, which wouldn't make much sense. It's actually MACing the plaintext. That's
still questionable since the generally accepted practice is to
Encrypt-then-MAC. Colin Percival has a good post why:
http://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html

I also noticed the verification code might be susceptible to a timing
attack:
"if (hex_hmac_sha1(key, text) === hmac)"

I was also asked offline how to compose these primitives correctly. Making
it safe and easy for developers to use crypto was one of the motivations of
Keyczar, which may be a good reference: https://code.google.com/p/keyczar/

Another option is NaCl (Networking and Crypto Library, not Native Client),
which has a simple C/C++ interface: http://nacl.cr.yp.to/index.html

And if you decide to ignore everyone telling you not to implement
server-hosted JS crypto, the Stanford JS Crypto Library is decent:
http://crypto.stanford.edu/sjcl/


On Tue, Jun 18, 2013 at 1:05 PM, Steve Weis <steveweis at gmail.com> wrote:

> It's not safe.
>
> This is their bookmarklet:
>
> (function(){document.body.appendChild(document.createElement('script')).src='
> https://encipher.it/javascripts/inject.js';})();
>
> That loads a JavaScript file from the encipher.it site, which can be
> changed at any time and compromise your messages without your knowledge.
>
> The actual call to encrypt data is here:
> https://encipher.it/javascripts/encipher.js :
> """
> hmac = hex_hmac_sha1(key, _this.text);
> hmac += hmac.slice(0, 24);
> cipher = hmac + salt + Aes.Ctr.encrypt(_this.text, key, 256);
> """
>
> They're MACing the key for some reason, then using unauthenticated CTR
> mode without an HMAC. So this is completely vulnerable to someone modifying
> the ciphertext.
>
> That CTR mode is implemented by this:
> https://encipher.it/javascripts/AES.js. That's using the time of day as a
> nonce combined with a weak JS Math.random(). That's vulnerable to some
> attacks as well.
>
> Generally, I'd assume that a random crypto project you run across is
> probably not safe.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130619/4dee0218/attachment.html>


More information about the liberationtech mailing list