3

I'm searching a javascript library that offers secure encryption. The client has to generate a key and all data uploaded to the server is encrypted, all data downloaded is decrypted. I need an authenticated encryption scheme, just CTR or CBC isn't enough.

I heard about sjcl, but it seems that sjcl only can encrypt the whole data at once. I didn't find a way to encrypt the data blockwise. Because the uploaded files can be very large, this approach isn't feasible. I need something like the java crypto interface with two methods update() and final().

I found the nodeJS crypto library that seems to do what I need, but I don't know how to use it on browser side.

I found google crypto-js, but this library doesn't seem to offer authenticated encryption but only the standard modes.

Is there a way to encrypt data blockwise with sjcl? To use the nodeJS crypto library on browser side? To use authenticated encryption with crypto-js? Or is there another secure javascript library that offers what I need?

Heinzi
  • 5,793
  • 4
  • 40
  • 69
  • Since your client is running in the browser, you can only avoid active attacks by using TLS. And TLS already provides security for your communication, so I don't get what your client side encryption aims to achieve. Are you trying to write a host proof application? – CodesInChaos Jun 29 '12 at 10:25
  • The server isn't trusted and shouldn't be able to decrypt the file. It is just stored encrypted and later downloaded encrypted and decrypted locally. So TLS isn't feasible. – Heinzi Jun 29 '12 at 10:26

3 Answers3

3

Short answer
I'm afraid this is not impossible.

Long answer
Because you cannot guarantee the integrity of the Javascript library, you cannot rely on it doing what you expect it to do. As a result, you cannot guarantee any security.

This issue has been discussed extensively and always end in the same conclusion: Without any two-way authentication and secure channel, your client has no method of verifying the correctness of the library. If any man-in-the-middle changed the crypto routines, your client would not know, let alone that you would ever find out.

So, to guarantee security, you will need SSL and client certificates.
(non-guaranteed security does, off course, not exist)

Jacco
  • 23,534
  • 17
  • 88
  • 105
  • I did read some of this discussions. But if the server delivering the javascript is trusted, the script can protect the data, so another host (where it is uploaded to) can't access it. I use SSL additionally but SSL can't protect the data from the server that stores it. – Heinzi Jun 29 '12 at 10:38
  • I'm not sure I understand your comment.. however, keep in mind that not only the server delivering the javascript, but also the network must be trusted. – Jacco Jun 29 '12 at 12:14
  • 1
    Which is ensured via SSL. I want to offer an SAAS application (the SAAS service is run by a trusted server using SSL) that is able to upload data to other hosting providers. They are not trusted, so the data sent there should be encrypted and authenticated. – Heinzi Jun 29 '12 at 13:57
2

Appart from CCM as deployed by SJCL is a stream cipher mode, I would take a careful look at it and not just look at the convenience wrappers. It's open source, so somewhere there should be the implementation of the raw cipher anyway.

Note that this is not code that should be ultimately trusted. When I tried to program a Java wrapper for it I quickly found an error that authentication failed. Seems like the convenience library did not authenticate the associated authentication data at all. As it isn't tested with other libraries, I would urge you to take care there aren't some left over bugs present.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • Thanks for the accept. Note that by now another serious issue regarding the random number generation has been found in SJCL - keep a good watch on the mailinglist. – Maarten Bodewes Jul 29 '12 at 17:28
0

Is there any reason why you need to push to an untrusted server from your client?

If the server that is delivering your website is trusted, then you should be able to post your data back to the trusted server, have the trusted server encrypt, and then the trusted server can send the data to the untrusted server for storage.

Mike
  • 653
  • 4
  • 8