Javascript Cryptography Considered Harmful

An interesting article http://www.matasano.com/articles/javascript-cryptography/

WHAT DO YOU MEAN, "JAVASCRIPT CRYPTOGRAPHY"?
============================================

We mean attempts to implement security features in browsers using cryptographic algoritms implemented in whole or in part in Javascript.

You may now be asking yourself, "What about Node.js? What about non-browser Javascript?". Non-browser Javascript cryptography is perilous, but not doomed. For the rest of this document, we're referring to browser Javascript when we discuss Javascript cryptography.

WHAT ARE SOME EXAMPLES OF "DOOMED" BROWSER CRYPTOGRAPHY?
========================================================

You have a web application. People log in to it with usernames and passwords. You'd rather they didn't send their passwords in the clear, where attackers can capture them. You could use SSL/TLS to solve this problem, but that's expensive and complicated. So instead, you create a challenge-response protocol, where the application sends Javascript to user browsers that gets them to send HMAC-SHA1(password, nonce) to prove they know a password without ever transmitting the password.

Or, you have a different application, where users edit private notes stored on a server. You'd like to offer your users the feature of knowing that their notes can't be read by the server. So you generate an AES key for each note, send it to the user's browser to store locally, forget the key, and let the user wrap and unwrap their data.

[...]

Henry

Social Web Architect
http://bblfish.net/

Received on Monday, 12 September 2011 14:36:46 UTC