The lecture that I gave at the Toronto JavaScript meetup regarding cryptography in the browser using JavaScript

1. JavaScript Crypto In The Browser
Barry Steyn
barry.steyn@gmail.com
March 2013
Barry Steyn JavaScript Crypto In The Browser March 2013 1/9

2. Overview
1 What Is Cryptography
Definition
2 Cryptography In The Browser: Pros and Cons
The Pros
3 Cryptography In The Browser: Pros and Cons
The Cons
4 Cryptographic Jargon
Some Jargon
5 Block Ciphers, MACs And Key Derivation Functions
Three Important Constructions
6 The Stanford JavaScript Cryptographic Library
A quick Intro
A Demo
Barry Steyn JavaScript Crypto In The Browser March 2013 2/9

3. Cryptography: A Definition
Wikipedia Definition
Cryptography is the practice and study of techniques for secure
communication in the presence of third parties.
Cryptography = Computer Security
Cryptographic communication relies upon trust:
Examples: You trust the other party you are communicating with, You
trust a certificate authority etc
The less entities that you need to trust, the better the security
Therefore, a good cryptographic protocol trusts as little as
possible
Barry Steyn JavaScript Crypto In The Browser March 2013 3/9

4. Cryptography In The Browser: Pros
Why Would One Want To Do Crypto In JavaScript On The Client
Encrypted peer-to-peer communication
Users can trust less by ensuring all crypto is done locally
A JavaScript interpreter is available on most internet devices
Barry Steyn JavaScript Crypto In The Browser March 2013 4/9

5. Cryptography In The Browser: Cons
Unfortunately, Crypto Security In The Browser Is Unknown At Best,
And Insecure At Worst
Here are three reasons why
1 You need to download the JS crypto library from a trusted source
The less trust, the better the security.
2 A browser is not a good environment for crypto.
3 JavaScript’s maliability is great for scripting, terrible for crypto
security.
4 For more info, check at
http://www.matasano.com/articles/javascript-cryptography
You Have Been Warned!!!
Barry Steyn JavaScript Crypto In The Browser March 2013 5/9

6. Cryptography: Some Jargon
Encryption and Decryption
Encryption Transforms a message that is in plain-text to cipher-text
Decryption Transforms a cipher-text message to the original
plain-text
Encryption takes two inputs
Key - kept secret
Plain-text Message
Decryption takes two inputs
Key - kept secret
cipher-text message - note that this is not secret, but is only useful
if one knows the secret key
Barry Steyn JavaScript Crypto In The Browser March 2013 6/9

7. Cryptography: Block Cipher and Key Derivation
Block Cipher - The workhorse of the cryptographic world
Input - n byte message
Output - n byte cipher
Example block cipher: AES. Input and output is 16 bytes (128 bits)
MAC - Message Authenticating Code
A MAC guarantees message integrity
Key Derivation Function
A key is normally derived from something a human should
remember - for example, a password
A key derivation function makes storage safer - It does this by
doing three things:
1 Passwords are hashed so as not to store them in plain text.
2 Passwords are salted to make them more secure against a rainbow
attack.
3 Key derivation is purposfully slow! Therefore, superior harware (should
in theory) struggle.
Barry Steyn JavaScript Crypto In The Browser March 2013 7/9

8. SJCL
So you still want to use crypto in the browser?
Then use The Stanford JavaScript Crypto Library
1 Its authors are hardcore cryptographers, led by Prof. Dan Boneh of
Stanford University (who personally had a hand in writing the library).
2 It is easy to use, and it tries to make things as secure as possible
while adhering to ease of use.
3 Its small (6.4 KB compressed)
Barry Steyn JavaScript Crypto In The Browser March 2013 8/9

9. SJCL - A Demo
Demo
Barry Steyn JavaScript Crypto In The Browser March 2013 9/9