Intrepidus Group
Insight

Category Archives: javascript

To JavaScript Crypto or Not

Posted: December 23, 2010 – 10:34 pm | Author: | Filed under: Cryptography, javascript

The short answer is: if it is in a browser, then no, you probably should not be doing it. A nice discussion on Hacker News regarding a new SRP service, autho.me came up today. SRP is the Secure Remote Password protocol, and it is a wonderful little authentication protocol that has slowly been gaining recognition and acceptance. A nice feature of SRP it is that even the most horribly weak one character passwords are just as hard to perform an offline dictionary attack against as a long, strong and complex passwords. These are nice properties in light of password database compromises like Rock You and Gawker. The discussion on Hacker News centers around using SRP with a JavaScript client based implementation for the client piece. Performing SRP safely in the browser using JavaScript is a nightmare. I applaud autho.me for their effort, but ultimately I am afraid this will be a tough nut to crack, the JavaScript runtime of a browser is a very hostile environment.

I will also point readers over to Nate Lawson’s treatment on this topic for some more detailed thoughts and issues regarding JS crypto. As an aside, If you are not familiar with SRP this slide deck is a nice overview of it.

Comments disabled

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24508 items have been purified.