Re: [liberationtech] Encipher.it
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 19/06/13 18:06, Steve Weis wrote: I also noticed the verification code might be susceptible to a timing attack: if (hex_hmac_sha1(key, text) === hmac) It looks like the adversary might be able to bypass MAC checking entirely: decryptNode() accepts a message if either the first 40 bytes are a valid HMAC or the first 64 bytes are the hash of the plaintext. If the adversary can guess the real plaintext then she can modify the CTR ciphertext to produce a new plaintext and authenticate it by replacing the MAC with the hash of the new plaintext. Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRwtNxAAoJEBEET9GfxSfMpbMH/1Pcln56XtFQ1AFcwhKZlY/w iDnnuq2DAsGFd7PtM/0fMq+amgtHOPWm0DzOxPa8TeOqcyXmsPqYYPLYH5kQ87Xa T+AU377EZQoPNMazA88OkMhOPhwhxDkpTYaFXOwl6mRu4jPk3PLBimWZz1IU0jUY 52rGTT4fptsJwgGjFcATbw/k4RpE9TUpHguDhximadOim+suww1ymHK2kNeLwyOl Bn/vPZtkoUzoOAgXEgUGONa4b3jlFHbcEEjxL2KtNjvG99X6RsrWq8XJmlOebKB7 CQaQio1kdiyLAuLUtBy9A36DBRTyOW8c72HYhNXiR2jeIEPXID5kHDLuPEEt1S0= =qiN4 -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Encipher.it
I have one correction to my quick look at the encipher.it code. I had
misread this line:
hmac = hex_hmac_sha1(key, _this.text); in https://encipher.it/javascripts/
encipher.js
I did not notice the second parameter and thought this was just MACing a
key, which wouldn't make much sense. It's actually MACing the plaintext. That's
still questionable since the generally accepted practice is to
Encrypt-then-MAC. Colin Percival has a good post why:
http://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
I also noticed the verification code might be susceptible to a timing
attack:
if (hex_hmac_sha1(key, text) === hmac)
I was also asked offline how to compose these primitives correctly. Making
it safe and easy for developers to use crypto was one of the motivations of
Keyczar, which may be a good reference: https://code.google.com/p/keyczar/
Another option is NaCl (Networking and Crypto Library, not Native Client),
which has a simple C/C++ interface: http://nacl.cr.yp.to/index.html
And if you decide to ignore everyone telling you not to implement
server-hosted JS crypto, the Stanford JS Crypto Library is decent:
http://crypto.stanford.edu/sjcl/
On Tue, Jun 18, 2013 at 1:05 PM, Steve Weis stevew...@gmail.com wrote:
It's not safe.
This is their bookmarklet:
(function(){document.body.appendChild(document.createElement('script')).src='
https://encipher.it/javascripts/inject.js';})();
That loads a JavaScript file from the encipher.it site, which can be
changed at any time and compromise your messages without your knowledge.
The actual call to encrypt data is here:
https://encipher.it/javascripts/encipher.js :
hmac = hex_hmac_sha1(key, _this.text);
hmac += hmac.slice(0, 24);
cipher = hmac + salt + Aes.Ctr.encrypt(_this.text, key, 256);
They're MACing the key for some reason, then using unauthenticated CTR
mode without an HMAC. So this is completely vulnerable to someone modifying
the ciphertext.
That CTR mode is implemented by this:
https://encipher.it/javascripts/AES.js. That's using the time of day as a
nonce combined with a weak JS Math.random(). That's vulnerable to some
attacks as well.
Generally, I'd assume that a random crypto project you run across is
probably not safe.
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Encipher.it
Have you guys seen this? https://encipher.it/ I've searched through the archives but didn't see anything. I'm wondering how safe this is. It has received some small attention on the media before. http://www.pcworld.com/article/255938/encipher_it_encrypts_email_for_free.html Thoughts? -- *Lorenzo Franceschi-Bicchierai *Mashable http://www.mashable.com Junior US World Reporter lore...@mashable.com | lorenzo...@gmail.com #: (+1) 917 257 1382 Twitter: @lorenzoFB http://www.twitter.com/lorenzoFB Skype: lorenzofb8 OTR: lorenz...@jabber.ccc.de www.lorenzofb.com -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Encipher.it
It's not safe.
This is their bookmarklet:
(function(){document.body.appendChild(document.createElement('script')).src='
https://encipher.it/javascripts/inject.js';})();
That loads a JavaScript file from the encipher.it site, which can be
changed at any time and compromise your messages without your knowledge.
The actual call to encrypt data is here:
https://encipher.it/javascripts/encipher.js :
hmac = hex_hmac_sha1(key, _this.text);
hmac += hmac.slice(0, 24);
cipher = hmac + salt + Aes.Ctr.encrypt(_this.text, key, 256);
They're MACing the key for some reason, then using unauthenticated CTR mode
without an HMAC. So this is completely vulnerable to someone modifying the
ciphertext.
That CTR mode is implemented by this:
https://encipher.it/javascripts/AES.js. That's
using the time of day as a nonce combined with a weak JS Math.random().
That's vulnerable to some attacks as well.
Generally, I'd assume that a random crypto project you run across is
probably not safe.
On Tue, Jun 18, 2013 at 11:51 AM, Lorenzo Franceschi Bicchierai
lorenzo...@gmail.com wrote:
Have you guys seen this?
https://encipher.it/
I've searched through the archives but didn't see anything. I'm wondering
how safe this is.
It has received some small attention on the media before.
http://www.pcworld.com/article/255938/encipher_it_encrypts_email_for_free.html
Thoughts?
--
*Lorenzo Franceschi-Bicchierai
*Mashable http://www.mashable.com Junior US World Reporter
lore...@mashable.com | lorenzo...@gmail.com
#: (+1) 917 257 1382
Twitter: @lorenzoFB http://www.twitter.com/lorenzoFB
Skype: lorenzofb8
OTR: lorenz...@jabber.ccc.de
www.lorenzofb.com
--
Too many emails? Unsubscribe, change to digest, or change password by
emailing moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Encipher.it
why does everyone want to trust yet another third party to encrypt data
on their behalf :)?
if u want to encrypt stuff, u should do it on ur machine. Maybe what
people should be searching for is an easy-to-use, audited and open
source stack to do it.
if we are too lazy to do it ourselves and want to outsource it to an
online service; this we dont really value ourprivacy after all. there is
no gain without a little pain.
On 18/06/2013 21:05, Steve Weis wrote:
It's not safe.
This is their bookmarklet:
(function(){document.body.appendChild(document.createElement('script')).src='https://encipher.it/javascripts/inject.js';})(
https://encipher.it/javascripts/inject.js%27;%7D%29%28);
That loads a JavaScript file from the encipher.it http://encipher.it
site, which can be changed at any time and compromise your messages
without your knowledge.
The actual call to encrypt data is here:
https://encipher.it/javascripts/encipher.js :
hmac = hex_hmac_sha1(key, _this.text);
hmac += hmac.slice(0, 24);
cipher = hmac + salt + Aes.Ctr.encrypt(_this.text, key, 256);
They're MACing the key for some reason, then using unauthenticated CTR
mode without an HMAC. So this is completely vulnerable to someone
modifying the ciphertext.
That CTR mode is implemented by this:
https://encipher.it/javascripts/AES.js. That's using the time of day
as a nonce combined with a weak JS Math.random(). That's vulnerable to
some attacks as well.
Generally, I'd assume that a random crypto project you run across is
probably not safe.
On Tue, Jun 18, 2013 at 11:51 AM, Lorenzo Franceschi Bicchierai
lorenzo...@gmail.com mailto:lorenzo...@gmail.com wrote:
Have you guys seen this?
https://encipher.it/
I've searched through the archives but didn't see anything. I'm
wondering how safe this is.
It has received some small attention on the media before.
http://www.pcworld.com/article/255938/encipher_it_encrypts_email_for_free.html
Thoughts?
--
*Lorenzo Franceschi-Bicchierai
*Mashable http://www.mashable.com Junior US World Reporter
lore...@mashable.com mailto:lore...@mashable.com |
lorenzo...@gmail.com mailto:lorenzo...@gmail.com
#: (+1) 917 257 1382
Twitter: @lorenzoFB http://www.twitter.com/lorenzoFB
Skype: lorenzofb8
OTR: lorenz...@jabber.ccc.de mailto:lorenz...@jabber.ccc.de
www.lorenzofb.com http://www.lorenzofb.com
--
Too many emails? Unsubscribe, change to digest, or change password
by emailing moderator at compa...@stanford.edu
mailto:compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Encipher.it
Wasabee wasabe...@gmail.com wrote: why does everyone want to trust yet another third party to encrypt data on their behalf :)? We're all relying on someone else's code to some extent, which is why I fully support approaching groups of knowledgeable people for their input. :D ~Griffin -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Encipher.it
Agreed, Security is all about trust. If you install pgp in debian you are trusting package maintainers, package server administrators, whoever most recently patched pgp code, the debian OS, the hardware that your computer is running and the other applications running on your OS. Most people don't want to take the time to learn how to use a complicated system like pgp (and say what you will but PGP is a huge pain for most people to use on a daily basis). Most people would very much like to trust a third party to encrypt on their behalf. The problem is that most of those third parties are not actually very reliable when it comes down to it. Cooper Quintin Technology Director radicalDESIGNS 1201 Martin Luther King Jr. Blvd, Oakland, CA PGP Key ID: 75FB 9347 FA4B 22A0 5068 080B D0EA 7B6F F0AF E2CA On 06/18/2013 02:14 PM, Griffin Boyce wrote: Wasabee wasabe...@gmail.com mailto:wasabe...@gmail.com wrote: why does everyone want to trust yet another third party to encrypt data on their behalf :)? We're all relying on someone else's code to some extent, which is why I fully support approaching groups of knowledgeable people for their input. :D ~Griffin -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
