Skip to content

Commit

Permalink
using crypto.getRandomValues #12
Browse files Browse the repository at this point in the history
  • Loading branch information
@klml
klml committed Sep 11, 2021
1 parent 93d9cb7 commit 74b5e1a
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 2 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ There are several __security concerns__:
* If the server is compromised:
* the stored cipher is useless, but you could manipulate the javascript.
* if ciphers don't get deleted and the offender gets your mail, your message is disclosed
* The browser [generates](https://github.com/klml/msgsplit/blob/master/static/msgsplit.js#L5) the key for the message, if your browsers [Math.random](https://developer.mozilla.org/de/docs/Web/JavaScript/Reference/Global_Objects/Math/math.random) is compromised, everything is worthless.
* The browser [generates](https://github.com/klml/msgsplit/blob/master/static/msgsplit.js#L6) the key for the message, if your browsers [Crypto.getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues) is compromised, everything is worthless.
* Only the transmitted message is encrypted. The receiver is not authenticated. The first one who receives the link, has the message.
* brutforce all ciphertexts (`for i in {1..99999999999} ; do curl -s -X POST http://msg.exmple.net:8080/writeread --form "storage_key=$1" ; done ;`): a ciphertext is still useless without the cryptographic-key.

Expand Down
10 changes: 9 additions & 1 deletion static/msgsplit.js
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,16 @@
// https://github.com/ikcede/JS-One-Time-Pad/blob/master/onetimepad.js
function generate_cryptographic_key (messageLength) {
var cryptographic_key = "";
var byteArray = new Uint8Array(1);
for(var i=0; i < messageLength ;i++) {
cryptographic_key = cryptographic_key.concat(String.fromCharCode(Math.floor(Math.random()*26) + 65));
window.crypto.getRandomValues(byteArray);

// move range start from 0 to 65, to start at ASCII "A"
// and reduce range length from 256 to 26, to end at ASCII "Z"
// 256 / 26 = 9.846153846
cryptographic_key_range = 65 + Math.floor( byteArray / 9.846153846 )
cryptographic_key = cryptographic_key.concat(String.fromCharCode(cryptographic_key_range));

}
return cryptographic_key;
}
Expand Down

0 comments on commit 74b5e1a

Please sign in to comment.