Is Javascript a proper platform for cryptography? Or, can it be?

views:

915

answers:

+2 Q:

Is Javascript a proper platform for cryptography? Or, can it be?

I noticed a good while back that Wikipedia links to a Javascript implementation of different hash functions. Also found Clipperz Crypto. Even Mozilla implements a crypto object in Firefox.

So, Is Javascript a proper platform for cryptography? Or, can it be?
Or, I suppose.. Are there any purposes or benefits for hashing data before POST?

I dont see why a cryptographic function couldnt be implemented using javascript.

However..Cryptography is a resource intensive process.

Compared to compiled code Javascript is slooooooow.

alexmac 2008-10-12 14:09:09

Not anymore, thanks to V8, Squirrelfish and TraceMonkey. Only IE is left behind.

Mauricio Scheffer 2008-10-12 14:24:03

Yeah, only 80% of the market share is left behind...

gizmo 2008-10-12 14:46:44

even V8 is slow compared to static compiled code.

Nils Pipenbrinck 2008-10-12 15:34:27

+1 A:

You can encrypt data using JavaScript; however I'm not sure about the benefits. Because if you are using, let's say bas64, you need to send the encryption key to the client, and if someone can intercept the encrypted information he/ she would probably be able to intercept the encryption key too.

You should never use this for replacing SSL certificates.

Flupkear 2008-10-12 14:16:28

Yes thats true I cant think of way to pass the key securely client side. Have edited my comment.

alexmac 2008-10-12 14:18:58

what about HTTPS ?

Mauricio Scheffer 2008-10-12 14:25:37

Like you said, JS shouldn't be used for end to end encryption; however, there are some services out there that offer secure email by doing encryption/decryption client-side and storing only the encrypted information on the server.

Kyle Cronin 2008-10-12 14:29:15

Public key cryptography is actually made for this kind of situation where you cannot trust the distribution of the key (or the user of the key). I can't really think of any applications where this would be useful over SSL as you say.

andy 2008-10-29 10:49:35

+4 A:

There are uses for hashing functions in Javascript, for example validating captchas client side (by comparing hash in session to computed hash from input). Obviously, the uses are limited since it runs almost exclusively client side (and you can't trust client input), but the potential is there.

Eran Galperin 2008-10-12 14:32:27

+1 A:

Never ever can you use javascript as a safe platform for transferring secure data ...

But it is possible to make a md5 or other type of encryption client-side, that gives you a reasonably secure way of validation you could test server-side !-)

roenving 2008-10-12 20:10:22

I can see at least one use: If you are sending the client encrypted data, then decrypting it in JavaScript based on a key/password that the user enters locally. This presupposes a shared key or a known password that you used to originally encrypt the data at the server. Also, these functions are frequently used by malicious and/or obfuscated JavaScript.

Eugene 2008-10-13 22:19:05

The answer depends on what you want to do.

If you want to use cryptography on client side, off-line, persistent web applications then yes. So for example do you want to encrypt all data that is stored in an embedded database using the HTML 5 specifications 'globalStorage()'. Then use javascript crypto, because the likelihood is that you wont have a connection to handle all the crypto on the server side.

If not use the tried and tested methods

2008-11-18 10:41:30

These blog articles describe valuable uses for cryptography in JavaScript:

For securely identifying yourself:

http://digitalbazaar.com/2010/08/07/webid/

For providing a secure interface to localhost applications w/embedded-servers via a website:

http://digitalbazaar.com/2010/07/20/javascript-tls-1/

http://digitalbazaar.com/2010/07/20/javascript-tls-2/

dlongley 2010-10-06 17:25:12

ansaurus

tags:

views:

answers:

Is Javascript a proper platform for cryptography? Or, can it be?

related questions