Wolf is 100% correct. These details make it sound like this product is insecure. We definitely don't want ecb mode or a weak kdf like 1 round of sha256 with no salt.
BUT before anyone lambasts this guy, it's good the author posted so mistakes can be learned from the feedback, that way others get exposed to the issues, and less mistakes are made in the future. In my opinion, there is too much hate for people who make mistakes when writing code, when in reality that's how you learn. Few people learn all the theory first and THEN how to build it, it's often learn to build then the theory.
This is true for every kind of software except security things.
It's really hard for a novice to find something that will actually protect them in between all the "convenient cloud solutions" that an intern cobbled together in their lunch break using some javascript they found on github.
The Finnish security company F-Secure revealed a secure cloud service, called Younited (https://www.younited.com/). It did not catch on. The active user amounts stayed at near zero level so it was sold to a company called Synchronoss.
F-Secure initially hoped that their good reputation, and the fact that the servers are located in countries without draconian spying legislation would be enough. They seriously hoped to make a star product out of their secure cloud service.
Well, secure against whom? Simply installing the applications and completing registration process revealed instantly that the service is insecure. Yes, in compliance sense "everything is encrypted", but the keys are clearly held server side. The customer has absolutely no control over the key management and storage, meaning they are at F-Secure's mercy, and F-Secure can technically open everything for authorities.
Now the actually interesting part of the story: The problem isn't the implementation. The problem isn't that they marketed it as secure. The important alpha users on this product area are way too savvy, and stayed away. As per the standard innovation diffusion model, they did not drag other users in. Not marketing the service as secure would have yielded better results!
It's funny how even serious software security companies screw things up. Even when they are attempting for a strategic new product positioning, and even when at near clear blue sea situation.
No it is even true for security things BUT the authors need to have no problem taking a dose of humble pie and labeling the project as completely insecure.
I don't see anything wrong with writing security software that is insecure as long as you don't pretend it is secure....
I really dislike when companies say it their product encrypts with "256-bit encryption" or "AES-256". Like you said, that is an incomplete description of an encryption scheme. The choice of block cipher mode can immediately make or break my opinion of a product, and when developers omit what mode they've chosen, I lean toward break.
Heh, that reminds me of when the "Trillian" IM client advertised "128-bit blowfish" encryption, but used 128-bit DH to negotiate the key (this many years ago).
The old best practice was RSA (with OAEP padding), AES CBC (with PKCS 7 padding), HMAC-SHA-2 (for TLS, AES GCM is better than AES CBC + HMAC, but I don't know if it's true in general). The new best practice seems to be something based on Curve25519 with SALSA/XSALSA/CHACHA + POLY1305.
CFRG has been trying for a year to come up with recommendation for TLS 1.3 on how to use 25519 and stronger curves in better primitives than ECDSA. ChaCha20+Poly1305 is getting more progress getting standardized, but still very slowly[0][1][2][3]. If you want to be sane then don't look into how sausages, laws and standards get made.
PBKDF2 is still the gold standard for converting a password to an encryption key, right? bcrypt has some desirable properties, but it has a fixed output length of 192 bits.
@all: thanks a lot for your feedback! It's good to see that so many people care about security. To quickly summarize your questions: We are using the secure CBC mode and have always used it ;) You can have a look on the source code directly on the website (because it's all client side JavaScript), but some parts of it are minified. We are working on a detailed description of the technology behind InstantCryptor and will publish it soon via Twitter (@cloudrail). If you are interested in the technology to easily add cloud storage into your application visit cloudrail.com to get a free copy.
I don't know that I'd necessary push for ChaCha20, but lack of ciphertext authentication is a clear problem. AES-GCM or even AES-CBC with an HMAC that's validated prior to decryption can provide the needed authenticity checks.
I've built a similar piece of javascript crypto: PasswordProtectMyFile.com. It's a single HTML page that can work with internet turned off. The ciphertext is another HTML page with all the javascript needed to decrypt itself.
We are using CBC as block cipher mode. I totally understand that open sourcing the complete code is the only way for you to review it and trust it completely. We decided to write a detailed report about the encryption and how we use it and will publish the report soon via Twitter.
How do you generate the initialization vector? CBC mode requires an unpredictable IV, which usually equals cryptographic random number.
> var hash = crc.Crypto.Hash.SHA256.hash(password.value),
> crypter = new Crypt.Mode.Licobo(new Crypt.Rijndael256(hash)),
From the code I cannot see any generation of IV, so I can only assume that the same IV is used every time. A predictable IV leads to many kinds of attacks. In particular, since the key is generated without salting, this means that a combination of the same key and IV will be used for multiple files, completely defeats the confidentiality.
And no integrity protection whatsoever? So vulnerable to bit flipping attacks?
A small side project to encrypt files for Dropbox and Google Drive. Encryption happens locally in the browser via JavaScript. The key never leaves the local computer. Happy for any feedback or comments ;)
Even with proper algorithms, per-file encryption leaks quite a lot of meta-data, sizes and usage patterns; also the cloud provider can transparently delete, corrupt and revert files to previous versions.
I wrote a backup/archive tool [0] that uses authenticated encryption, scrypt, and local key management. The only thing it leaks [1] is the amount of new data added on each snapshot.
And we do not store or even transfer your Dropbox or Google password on our servers. It runs locally in your browser. Feel free to double check this in the source code ;)
That's the problem with in-browser crypto, though: you could change the source code at-will. You could even serve different versions of the source code to different people. You might even be compelled by your state to do so, even if you wished not to.
Better to deliver the end-user a piece of code he can examine once and trust going forward.
ooh. I made an app that encrypts files on Android written in Java and has a C# written client for Windows.
I have released the java source code. I should post it here on HN to look at it and rip me a new one.
What I am sketchy about is how does embedding an unencrypted salt used for the PBKDF2 in the file not potentially make guessing of the passphrase easier
To answer your question about the the salt and the PBKDF2:
salt ensures that the hash of my password is different from someone else's, even if we use the same password (or I use the same password on another site).
Thus, if someone has the hashes, and wants to attack the system, then need to attack each password independently (they can't just run a password dictionary through the PKDF2 (or SHA256 in this case - very bad choice)) and then compare the results against all of the password hashes. They have to start with the salt (different for each user), and then run each password guess through the algorithm. Much slower. Much better.
Which brings us to PBKDF2 instead of SHA256: SHA256 is designed to be fast. That's bad when hashing passwords, because it makes offline dictionary-based attacks faster. Password Derivation functions are designed to be slow. That makes logging on very slightly slower, but makes offline attacks much, much slower.
However, doing the encryption in Javascript is a fatal problem: At any time, they can update (or be forced to update) the javascript to send the server my password when I use it, and the only way I can protect myself from this is to audit the code, EVERY TIME I USE IT.
Why do you consider unsalted SHA-256 a bad choice here? If neither the password nor its hash are stored and the hash is merely used as a key for the CBC, I don't see how anyone could construct rainbow tables for that. Care to explain?
SHA256 is not a KDF, AES-256 is not a block cipher mode. Where is the source code?