https://github.com/wwwtyro/cryptico/blob/9291ece634d37415e66396d749d38e612d66f935/api.js#L264
Basically, Cryptico is yet another Crypto lib, a collage of existing pieces of software preassembled for simple usage. Fair enough.
Generate RSA keys, encrypt, sign, calculate hashes blah blah. This time, with a twist:
- Deterministic RNG, seeded with a SHA-256 hash of the passphrase. Same passphrase? Same RSA key!
- No PKCS#1 padding, but RSA exponent 3 hardcoded. To be fair, the bundled library does support padding, but the API documentation never says that it exists or that you should use it. If you market yourself as "an easy-to-use encryption system", you'd better do optimal default choices from a security point of view. See this nice Cr.SE post.
- RSA keys and encrypted data serialized with a never-seen-before format. To be fair, this is not critical, altough it complicates cooperation with other crypto libraries.
Dear author, I am not implying that you are a bad coder, you might be very skilled for what I know, but please, leave crypto code to people who know how to handle it. PLEASE.
Note: I contacted Cryptico author and gave him a month to either fix the issues or clearly mark the code as experimental/insecure. I did not receive any feedback.
You might want to link to the explicit commit, otherwise your link might get stale: https://github.com/wwwtyro/cryptico/blob/9291ece634d37415e66396d749d38e612d66f935/cryptico.js#L3444 (See: http://andrew.yurisich.com/work/2014/07/16/dont-link-that-line-number/)
ReplyDeleteThanks for your remark. Fixed :)
DeleteBitcoin Evolution also claims their platform is “lightning fast” because of the algorithms they use. These algorithms scan the markets thousands of times each minute to find crypto trading opportunities.crypto
ReplyDelete