CryptAByte.com: Making cryptography (more) accessible to non-hackers

DO NOT USE FOR ANYTHING IMPORTANT!!!!! CRYPTOBYTE IS NOT SECURE AT THIS TIME!!!!!<p>The developer says:<p><pre><code> CryptAByte uses public-key encryption just like HTTPS/SSL and OpenPGP/PGP. The algorithms used are RSA for key pairs, AES 256 to encrypt messages and files, and SHA 256 for hashing. The servers hosting this application support can encrypt 2.1 GB of data per second using the latest Intel CPU’s with AES support built into the chipset. </code></pre> Server-side encryption means that the people running the server have access to the plaintext. The web interface simply does a PUT request that sends the plaintext to the server.<p>Another problem is that they are storing your private RSA key on their server. When you ask to retrieve your messages, you do an AJAX POST request, giving a token to identify they key, and your password. Presumably, the key is encrypted using the password.<p>If their servers are compromised, whether by hackers or by search warrant, the security of your private key depends on how good your password is. They are pitching this as bringing good security to the masses. THE MASSES SUCK AT CHOOSING GOOD PASSWORDS. If you want to bring good security to the masses, it is ludicrous to make the security of the system rest on the ability of the masses to pick a high entropy password.<p>In defense of the developer, it is quite possible he knows all this. In the interview the article mentions (<a href="http://libertarianstandard.com/2012/06/07/exclusive-interview-with-cryptabytes-creator-david-veksler/" rel="nofollow">http://libertarianstandard.com/2012/06/07/exclusive-intervie...</a>), it is clear that this is an experiment at this stage, and it is quite possible that the developer has simply not gotten around to addressing those issues yet. The author of the article clearly has no technical knowledge of cryptography whatsoever, and so may have not understood that CryptAByte is an early stage exploration of concepts at this point.<p>I've got some experience designing a similar product, and I'm pretty sure that when he does get around to dealing with those issues he's going to find that it cannot be done without abandoning the idea of doing at all on the web. As far as I can see, to be secure even with users who do not pick strong passwords, you need access to the local filesystem and to a local source of cryptographically secure random numbers.<p>From the article (so blame the article author, not the developer):<p><pre><code> But it gets more brilliant. How can you know that you can really trust the service, or that Veksler himself works for the FBI or the like? Well, you don’t have to trust him. Veksler is making the entire apparatus completely open source so that anyone can inspect the code. He does nothing on the site that is not wholly open to the world, so that way anyone can know everything that is going on in the engine room but no one, not even the service owner, can know what is being communicated. </code></pre> Pure bullshit. The user has no way of knowing that the code ACTUALLY RUNNING on the site is the same as the code that is released as open source.

I'm happy to have another partner- in- debunking- broken- crypto here and so a little giddy at seeing the 'tzs comment, but he missed some stuff.<p>Grab the source code and you'll see that --- at least as regards the cryptography components of this application --- it's practically the "Hello World" example from the MSDN System.Security.Cryptography documentation.<p>That's not in itself a problem; lots of "hello world"-grade libraries are useful. Unfortunately, like every other low-level crypto library, the MSDN documentation does an appalling job of showing how to write a secure cryptosystem. Blame the docs, blame Microsoft, blame the developer, but this program gets a bunch of things painfully wrong.<p>By way of bona fides and to start this off: I'm pretty sure that using PBKDF2 to generate the key <i>and</i> the IV for AES-CBC is broken; it produces a deterministic repeating IV for every message encrypted under a given key. Had the default mode for AesManaged been CTR, or had the developer chosen CTR mode, this would be a devastating problem; it would mean attackers without knowing anything about the key or even the encryption method could, in seconds, discover that CTR mode with a repeating nonce had been used <i>and decrypt the messages</i>. Fortunately, since the .NET default is CBC, it just subtly weakens the cryptosystem instead of killing it.<p>Why-oh-why derive the IV from the key? An idiom in modern cryptosystems: generate a random block and tack it to the front of the message.<p>Do you want to entrust your secret messages to developers who get this wrong? Only if you want to do that developer a favor. It's fine if you do, but I recommend trusting your real secrets to GPG/PGP.<p>There are significantly worse problems with this library (at least, I think; I read it for just a few minutes). Exercises for the interested reader.

'It is called cryptabyte.com. It is the first, easy-to-use, web-based service to provide <i>absolutely</i> <i>uncrackable</i> security in communications and file sharing."<p>(emphasis mine)<p>"CryptAByte uses public-key encryption just like HTTPS/SSL and OpenPGP/PGP. The algorithms used are RSA for key pairs, AES 256 to encrypt messages and files, and SHA 256 for hashing."<p>Soooo -- <i>like</i> SSL and OpenPGP, but not actually OpenPGP. Yes, let's use AES directly some more and not release source code until some undefined point in the future -- that sounds like a fantastic idea!<p>Aren't plain PGP/GPG installables for all platforms user friendly enough already? If they're not, can we please make websites that are basically cheap shims over gpg's stdout/stdin?