Re: [liberationtech] Fwd: SafeGDocs: encrypted documents in Google Drive

2013-04-18 Thread Carmela Troncoso 
Hi Steve,

thanks so much for your feedback. We will change the AES implementation
asap, and Stanford's JS Crypto is a perfect candidate. Thanks for
pointing it out.

We have looked at the SecureDocs project, but the code at their web only
works with old Firefox version. Do you know whether the authors plan to
release a new version according to the SPCC 2012 paper?

Kind regards,
Carmela


On 14/04/2013 1:09, Steve Weis wrote:
 Hi. SafeGDocs appears to use a unsafe implementation of AES-CTR mode
 from here:
 http://www.movable-type.co.uk/scripts/aes.html

 Two problems with this library:
 - It generates a predictable CTR mode IV using time of day.
 - There is apparently no authentication of the ciphertext, which in
 CTR mode means you can trivially modify messages.

 The SafeGDocs overlay.js that calls the Movable Type AES library has
 been minified for no apparent reason. I didn't bother to unminify it
 to look at it.

 This similar project, SecureDocs, happens to use the same library, but
 only for a key derivation function. They're using Stanford's JS Crypto
 for the actual encryption: http://www.mightbeevil.com/securedocs/

 I haven't looked at SecureDocs in depth, but Nate Lawson gave it a
 thumbs up:
 http://rdist.root.org/2011/05/09/encrypted-google-docs-done-well/


 On Sat, Apr 13, 2013 at 8:12 AM, Michael Rogers
 mich...@briarproject.org mailto:mich...@briarproject.org wrote:

  Original Message 
 Date:   Mon, 08 Apr 2013 11:03:51 +0200
 From:   Carmela Troncoso ctronc...@gradiant.org
 mailto:ctronc...@gradiant.org
 To: p...@lists.links.org mailto:p...@lists.links.org

 Hello everybody,

 in the last year we have been developing at Gradiant
 (http://www.gradiant.org/en.html) a Firefox addon that allows users to
 easily encrypt and share documents in Google Drive in such a way that
 data is not accessible to the service provider. We are now releasing a
 version and would love to have the feedback of the community both
 about
 its usability and security.

 You can download the addon here:
 http://www.safegdocs.com/en/home.html

 and find the associated academic papers here:
 
 http://www.gradiant.org/images/stories/2010_cloudviews_googledocsprivacy.pdf
 
 http://www.gradiant.org/images/stories/sharing_secure_documents_in_the_cloud.pdf


--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Fwd: SafeGDocs: encrypted documents in Google Drive

2013-04-13 Thread Steve Weis 
Hi. SafeGDocs appears to use a unsafe implementation of AES-CTR mode from
here:
http://www.movable-type.co.uk/scripts/aes.html

Two problems with this library:
- It generates a predictable CTR mode IV using time of day.
- There is apparently no authentication of the ciphertext, which in CTR
mode means you can trivially modify messages.

The SafeGDocs overlay.js that calls the Movable Type AES library has been
minified for no apparent reason. I didn't bother to unminify it to look at
it.

This similar project, SecureDocs, happens to use the same library, but only
for a key derivation function. They're using Stanford's JS Crypto for the
actual encryption: http://www.mightbeevil.com/securedocs/

I haven't looked at SecureDocs in depth, but Nate Lawson gave it a thumbs
up:
http://rdist.root.org/2011/05/09/encrypted-google-docs-done-well/


On Sat, Apr 13, 2013 at 8:12 AM, Michael Rogers mich...@briarproject.orgwrote:

  Original Message 
 Date:   Mon, 08 Apr 2013 11:03:51 +0200
 From:   Carmela Troncoso ctronc...@gradiant.org
 To: p...@lists.links.org

 Hello everybody,

 in the last year we have been developing at Gradiant
 (http://www.gradiant.org/en.html) a Firefox addon that allows users to
 easily encrypt and share documents in Google Drive in such a way that
 data is not accessible to the service provider. We are now releasing a
 version and would love to have the feedback of the community both about
 its usability and security.

 You can download the addon here:
 http://www.safegdocs.com/en/home.html

 and find the associated academic papers here:

 http://www.gradiant.org/images/stories/2010_cloudviews_googledocsprivacy.pdf

 http://www.gradiant.org/images/stories/sharing_secure_documents_in_the_cloud.pdf


--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech