Re: [liberationtech] Encipher.it
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 19/06/13 18:06, Steve Weis wrote: I also noticed the verification code might be susceptible to a timing attack: if (hex_hmac_sha1(key, text) === hmac) It looks like the adversary might be able to bypass MAC checking entirely: decryptNode() accepts a message if either the first 40 bytes are a valid HMAC or the first 64 bytes are the hash of the plaintext. If the adversary can guess the real plaintext then she can modify the CTR ciphertext to produce a new plaintext and authenticate it by replacing the MAC with the hash of the new plaintext. Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRwtNxAAoJEBEET9GfxSfMpbMH/1Pcln56XtFQ1AFcwhKZlY/w iDnnuq2DAsGFd7PtM/0fMq+amgtHOPWm0DzOxPa8TeOqcyXmsPqYYPLYH5kQ87Xa T+AU377EZQoPNMazA88OkMhOPhwhxDkpTYaFXOwl6mRu4jPk3PLBimWZz1IU0jUY 52rGTT4fptsJwgGjFcATbw/k4RpE9TUpHguDhximadOim+suww1ymHK2kNeLwyOl Bn/vPZtkoUzoOAgXEgUGONa4b3jlFHbcEEjxL2KtNjvG99X6RsrWq8XJmlOebKB7 CQaQio1kdiyLAuLUtBy9A36DBRTyOW8c72HYhNXiR2jeIEPXID5kHDLuPEEt1S0= =qiN4 -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Encipher.it
I have one correction to my quick look at the encipher.it code. I had misread this line: hmac = hex_hmac_sha1(key, _this.text); in https://encipher.it/javascripts/ encipher.js I did not notice the second parameter and thought this was just MACing a key, which wouldn't make much sense. It's actually MACing the plaintext. That's still questionable since the generally accepted practice is to Encrypt-then-MAC. Colin Percival has a good post why: http://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html I also noticed the verification code might be susceptible to a timing attack: if (hex_hmac_sha1(key, text) === hmac) I was also asked offline how to compose these primitives correctly. Making it safe and easy for developers to use crypto was one of the motivations of Keyczar, which may be a good reference: https://code.google.com/p/keyczar/ Another option is NaCl (Networking and Crypto Library, not Native Client), which has a simple C/C++ interface: http://nacl.cr.yp.to/index.html And if you decide to ignore everyone telling you not to implement server-hosted JS crypto, the Stanford JS Crypto Library is decent: http://crypto.stanford.edu/sjcl/ On Tue, Jun 18, 2013 at 1:05 PM, Steve Weis stevew...@gmail.com wrote: It's not safe. This is their bookmarklet: (function(){document.body.appendChild(document.createElement('script')).src=' https://encipher.it/javascripts/inject.js';})(); That loads a JavaScript file from the encipher.it site, which can be changed at any time and compromise your messages without your knowledge. The actual call to encrypt data is here: https://encipher.it/javascripts/encipher.js : hmac = hex_hmac_sha1(key, _this.text); hmac += hmac.slice(0, 24); cipher = hmac + salt + Aes.Ctr.encrypt(_this.text, key, 256); They're MACing the key for some reason, then using unauthenticated CTR mode without an HMAC. So this is completely vulnerable to someone modifying the ciphertext. That CTR mode is implemented by this: https://encipher.it/javascripts/AES.js. That's using the time of day as a nonce combined with a weak JS Math.random(). That's vulnerable to some attacks as well. Generally, I'd assume that a random crypto project you run across is probably not safe. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Encipher.it
Have you guys seen this? https://encipher.it/ I've searched through the archives but didn't see anything. I'm wondering how safe this is. It has received some small attention on the media before. http://www.pcworld.com/article/255938/encipher_it_encrypts_email_for_free.html Thoughts? -- *Lorenzo Franceschi-Bicchierai *Mashable http://www.mashable.com Junior US World Reporter lore...@mashable.com | lorenzo...@gmail.com #: (+1) 917 257 1382 Twitter: @lorenzoFB http://www.twitter.com/lorenzoFB Skype: lorenzofb8 OTR: lorenz...@jabber.ccc.de www.lorenzofb.com -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Encipher.it
It's not safe. This is their bookmarklet: (function(){document.body.appendChild(document.createElement('script')).src=' https://encipher.it/javascripts/inject.js';})(); That loads a JavaScript file from the encipher.it site, which can be changed at any time and compromise your messages without your knowledge. The actual call to encrypt data is here: https://encipher.it/javascripts/encipher.js : hmac = hex_hmac_sha1(key, _this.text); hmac += hmac.slice(0, 24); cipher = hmac + salt + Aes.Ctr.encrypt(_this.text, key, 256); They're MACing the key for some reason, then using unauthenticated CTR mode without an HMAC. So this is completely vulnerable to someone modifying the ciphertext. That CTR mode is implemented by this: https://encipher.it/javascripts/AES.js. That's using the time of day as a nonce combined with a weak JS Math.random(). That's vulnerable to some attacks as well. Generally, I'd assume that a random crypto project you run across is probably not safe. On Tue, Jun 18, 2013 at 11:51 AM, Lorenzo Franceschi Bicchierai lorenzo...@gmail.com wrote: Have you guys seen this? https://encipher.it/ I've searched through the archives but didn't see anything. I'm wondering how safe this is. It has received some small attention on the media before. http://www.pcworld.com/article/255938/encipher_it_encrypts_email_for_free.html Thoughts? -- *Lorenzo Franceschi-Bicchierai *Mashable http://www.mashable.com Junior US World Reporter lore...@mashable.com | lorenzo...@gmail.com #: (+1) 917 257 1382 Twitter: @lorenzoFB http://www.twitter.com/lorenzoFB Skype: lorenzofb8 OTR: lorenz...@jabber.ccc.de www.lorenzofb.com -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Encipher.it
why does everyone want to trust yet another third party to encrypt data on their behalf :)? if u want to encrypt stuff, u should do it on ur machine. Maybe what people should be searching for is an easy-to-use, audited and open source stack to do it. if we are too lazy to do it ourselves and want to outsource it to an online service; this we dont really value ourprivacy after all. there is no gain without a little pain. On 18/06/2013 21:05, Steve Weis wrote: It's not safe. This is their bookmarklet: (function(){document.body.appendChild(document.createElement('script')).src='https://encipher.it/javascripts/inject.js';})( https://encipher.it/javascripts/inject.js%27;%7D%29%28); That loads a JavaScript file from the encipher.it http://encipher.it site, which can be changed at any time and compromise your messages without your knowledge. The actual call to encrypt data is here: https://encipher.it/javascripts/encipher.js : hmac = hex_hmac_sha1(key, _this.text); hmac += hmac.slice(0, 24); cipher = hmac + salt + Aes.Ctr.encrypt(_this.text, key, 256); They're MACing the key for some reason, then using unauthenticated CTR mode without an HMAC. So this is completely vulnerable to someone modifying the ciphertext. That CTR mode is implemented by this: https://encipher.it/javascripts/AES.js. That's using the time of day as a nonce combined with a weak JS Math.random(). That's vulnerable to some attacks as well. Generally, I'd assume that a random crypto project you run across is probably not safe. On Tue, Jun 18, 2013 at 11:51 AM, Lorenzo Franceschi Bicchierai lorenzo...@gmail.com mailto:lorenzo...@gmail.com wrote: Have you guys seen this? https://encipher.it/ I've searched through the archives but didn't see anything. I'm wondering how safe this is. It has received some small attention on the media before. http://www.pcworld.com/article/255938/encipher_it_encrypts_email_for_free.html Thoughts? -- *Lorenzo Franceschi-Bicchierai *Mashable http://www.mashable.com Junior US World Reporter lore...@mashable.com mailto:lore...@mashable.com | lorenzo...@gmail.com mailto:lorenzo...@gmail.com #: (+1) 917 257 1382 Twitter: @lorenzoFB http://www.twitter.com/lorenzoFB Skype: lorenzofb8 OTR: lorenz...@jabber.ccc.de mailto:lorenz...@jabber.ccc.de www.lorenzofb.com http://www.lorenzofb.com -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu mailto:compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Encipher.it
Wasabee wasabe...@gmail.com wrote: why does everyone want to trust yet another third party to encrypt data on their behalf :)? We're all relying on someone else's code to some extent, which is why I fully support approaching groups of knowledgeable people for their input. :D ~Griffin -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Encipher.it
Agreed, Security is all about trust. If you install pgp in debian you are trusting package maintainers, package server administrators, whoever most recently patched pgp code, the debian OS, the hardware that your computer is running and the other applications running on your OS. Most people don't want to take the time to learn how to use a complicated system like pgp (and say what you will but PGP is a huge pain for most people to use on a daily basis). Most people would very much like to trust a third party to encrypt on their behalf. The problem is that most of those third parties are not actually very reliable when it comes down to it. Cooper Quintin Technology Director radicalDESIGNS 1201 Martin Luther King Jr. Blvd, Oakland, CA PGP Key ID: 75FB 9347 FA4B 22A0 5068 080B D0EA 7B6F F0AF E2CA On 06/18/2013 02:14 PM, Griffin Boyce wrote: Wasabee wasabe...@gmail.com mailto:wasabe...@gmail.com wrote: why does everyone want to trust yet another third party to encrypt data on their behalf :)? We're all relying on someone else's code to some extent, which is why I fully support approaching groups of knowledgeable people for their input. :D ~Griffin -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech