Chausies.xyz/encrypt Security Overview

This webapp is for public-key encryption. The example usage is that Alice inputs a password and gets her public ID (her public key). Then Bob can encrypt a Message for Alice's ID, and the Encrypted Message can only be decrypted by Alice via entering her Password. Even if Alice and Bob communicate over an open channel, with Alice sending Bob her ID and Bob sending Alice the Encrypted Message, no one can make out Alice's Password or Bob's Message.

This webapp is hosted and served by Github. The URL chausies.xyz/encrypt is just a CNAME for the chausies.github.io/encrypt url, which can be verified by this CNAME lookup. The accompanying javascript and html files are all open source and on Github, and you're guaranteed that those are the files being served by the website securely through TLS. The entire webapp uses only client-side javascript, with nothing leaving your computer and no interaction with any servers. In fact, the webapp can run completely offline.

Now, for the technical security details of the webapp. This webapp implements public-key encryption via Elliptic Curve Cryptography with 256-bits of security, using the ECIES algorithm, as described in this Crypto Stackexchange answer. Curve25519 is used as the Elliptic Curve. The private key a of the receiver Alice is the PBKDF2 digest of her password, using 10000 iterations and a 256-bit salt. The private key b of Bob is a securely randomly chosen 256-bit number, which is done using the CPRNG window.crypto.getRandomValues. The encryption used for the message is AES using the GCM mode. The hashing used for Bob's Message is SHA256 with a 256-bit salt.

This webapp uses two pure javascript libraries, none of which have any outside dependencies. The first is BigInteger.js, which is used for its implementations of integers larger than 32-bits as well as support for discrete math operations like modular arithmetic, which are needed to implement Elliptic Curve Cryptography (ECC). The second library used is the Stanford Javascript Crypto Library, which is a highly vetted a reliable crypto library endorsed by Stanford Cryptography Professor Dan Boneh. SJCL is used for its implementations of PBKDF2, AES with GCM mode, and SHA256.

The rest of the code for the webapp, including the implementations of ECC and ECIES, can be found at encrypt.html and encrypt.coffee (note that coffeescript is used to make the code look simple and straightforward. The actual javascript is just the compiled version of this coffeescript). The code is easy to follow at a high level and easy to vet.

Finally, there are only two main vulnerabilities for this webapp. The first is that the user might use a password that's too simple, such as "password". To circumvent this, a secure random 128-bit password is provided by default. At the very least, a password with 50-60 bits of entropy is recommended. The second main vulnerability is a Man-in-the-Middle attack. While this webapp uses Authenticated Encryption to protect against the tampering of messages (i.e. changing around the letters of the ID or Encrypted Message will result in decryption throwing a "Password does not match!" error), it does not protect against a middleman outright switching your communications for something else. For example, if Alice sends Bob her ID through the middleman Mallory, then Mallory could give Bob her ID instead, which would mean that Bob encrypts his message for Mallory thinking he's encrypting it for Alice. Basically, this webapp only guarantees safety against eavesdroppers. In order to have protection from a man-in-the-middle attack, Alice should give Bob her ID through a secure channel beforehand.

This webapp was made by Ajay Shanker Tripathi, and is released under the BSD 3-Clause license.