Home

Recent
Archive

Numerical experiments, Tips, Tricks and Gotchas

Numerically speaking

Client side cryptography

Introduction

I am not comfortable with transmitting plain text information over the Internet. Therefore, the information should be encrypted on my computer. Robert Accettura nicely formulated the whole procedure this way [1]:

  1. Your data is created on your computer (obviously).
  2. Your data is encrypted on your computer.
  3. Your data is transmitted securely to servers in an encrypted state.
  4. Your data is retrieved and decrypted on your computer.
"The only one who can ever decrypt your data is you" [1].

The most accessible and cross-platform tool is a web browser so it would be nice to implement this in JavaScript.

JS crypto libraries

As I realized, there are a lot of good encryption libraries nowadays.

Security and other considerations

In general, client side encryption is not considered secure. In particular, it should not be used for an authentication [10], [11]. It was also pointed out that if a password was lost, there is no way to restore or reset the password [12].

My objective is relatively narrow: to be sure that relatively small amounts of sensitive information never leaves my computer unencrypted.

Implementations

There are several implementations which allow encryption suitable for uploading to a server/cloud or for sending via email [6], [7], [13], [14]. Unfortunately they are typically buried in broader discussions. In particular, in [6], [7] Chris Veness discusses his implementation of the TEA and AES algorithms. Also all implementations use external JavaScript files. Nothing is wrong with the external files if a source is trusted. The script is loaded before encryption is called [15], but I decided to make a purely local implementation.

Local implementation

After reviewing existing libraries [2], I have chosen the most popular, Jeff Mott's implementation of the AES algorithm [3]. I used a slightly modified layout from [6] and the recommendations from [14], [16]. For a local implementation it would be enough to reference the preloaded file (e.g. in the same directory):

<script src="aes.js"></script>
In order to reduce dependences, I used an embedded script: Local client side encryption.

Discussion

The algorithm is implemented as JavaScript code. This code is executed in a browser of a local computer. Nothing is sent to the server. All information disappears after closing the browser. The algorithm is not secret, all security is in the password/key (up to 256 characters)..

Encryption:

  1. Enter your password (key) - any printable characters, including spaces
  2. Type or paste your message in the upper text area
  3. Press "Encrypt"
  4. Get the encrypted text in the middle text area. It is ready to paste into your e-mail (not as an attachment)

Decryption:

  1. Enter your password (key) - any printable characters
  2. Paste   in the middle text area the encrypted message (one long line, without extra characters and spaces in the beginning and the end)
  3. Press "Decrypt"
  4. Get the restored text in the lower text area
This procedure fits the requirements formulated in the introduction. A zipped HTML file can be downloaded here.

 

References

  1. Robert Accettura, Wanted: Native JS Encryption
  2. JavaScript Crypto Libraries
  3. Jeff Mott, CryptoJS
  4. Davide Barranca, CryptoJS Tutorial For Dummies
  5. Chris Veness, Movable Type Ltd, Sample projects; Useful scripts
  6. Chris Veness, Tiny Encryption Algorithm
  7. Chris Veness, AES industrial-strength encryption algorithm
  8. Chris Veness, SHA-256 cryptographic hash function
  9. Chris Veness, Libraries of cryptographic functions implemented in JavaScript
  10. Thomas Ptacek, Javascript Cryptography Considered Harmful
  11. Tony Arcieri, What's wrong with in-browser cryptography?
  12. stackoverflow, Web app with client-side encryption
  13. The Operator, Client-side AES Encryption Using Google Javascript Crypto Library
  14. Ram Kulkarni, Encrypting data with Crypto-JS in JavaScript
  15. Jake Archibald, Deep dive into the murky waters of script loading
  16. stackoverflow, JavaScript string encryption and decryption?

 

© Nikolai Shokhirev, 2012-2024

email: nikolai(dot)shokhirev(at)gmail(dot)com

Count: