Monday, 21 July 2014

Cryptico is playing with fire

When I see this kind of things, I cry. I cry hard.

https://github.com/wwwtyro/cryptico/blob/9291ece634d37415e66396d749d38e612d66f935/api.js#L264

Basically, Cryptico is yet another Crypto lib, a collage of existing pieces of software preassembled for simple usage. Fair enough.

Generate RSA keys, encrypt, sign, calculate hashes blah blah. This time, with a twist:

  1. Deterministic RNG, seeded with a SHA-256 hash of the passphrase. Same passphrase? Same RSA key!
  2. No PKCS#1 padding, but RSA exponent 3 hardcoded. To be fair, the bundled library does support padding, but the API documentation never says that it exists or that you should use it. If you market yourself as "an easy-to-use encryption system", you'd better do optimal default choices from a security point of view. See this nice Cr.SE post.
  3. RSA keys and encrypted data serialized with a never-seen-before format. To be fair, this is not critical, altough it complicates cooperation with other crypto libraries.   

Dear author, I am not implying that you are a bad coder, you might be very skilled for what I know, but please, leave crypto code to people who know how to handle it. PLEASE.

Note: I contacted Cryptico author and gave him a month to either fix the issues or clearly mark the code as experimental/insecure. I did not receive any feedback.

2 comments:

  1. You might want to link to the explicit commit, otherwise your link might get stale: https://github.com/wwwtyro/cryptico/blob/9291ece634d37415e66396d749d38e612d66f935/cryptico.js#L3444 (See: http://andrew.yurisich.com/work/2014/07/16/dont-link-that-line-number/)

    ReplyDelete