# Re: ANNOUNCE: "jscryptor: client-side web page encryption" using JavaScript

*From*: daw@xxxxxxxxxxxxxxxxxxxxxxxx (David Wagner)*Date*: Sun, 1 Oct 2006 19:38:16 +0000 (UTC)

d wrote:

The MAC is calculated by XORing a hash of the original/decrypted

plaintext with a hash of the key.

This MAC is insecure against known-plaintext attack. If the attacker

knows the (original) plaintext, they can compute the hash of the

plaintext; then if they know the MAC, they can recover a hash of the key

by xor-ing; finally, once they know a hash of the key, they can replace

the plaintext with some other plaintext and adjust the MAC appropriately.

The CFB encryption (especially the use of the MAC as IV) confounds the

last step of the attack, so I don't know whether the whole thing all

together is insecure, but the MAC on its own is insecure. That's a bad

sign, and I don't recommend using a construction with this property.

It would be better to use SHA1-HMAC.

Also, if you ever use the same key for more than one message, then I

think your MAC construction violates confidentiality. Suppose that for

one message, I know the plaintext and I intercept the ciphertext. Then,

as above, I can calculate the hash of the key. Now suppose I intercept a

second ciphertext, corresponding to some unknown plaintext. I can extract

the MAC field from that second ciphertext, xor with the hash of the key,

and learn the hash of the second plaintext. If the second plaintext has

low entropy, then this is enough to recover the second plaintext by using

a dictionary attack. It is also enough to detect repeated plaintexts.

It would be better to use a random IV, rather than one generated

deterministically from the plaintext.

For these reasons, I wouldn't recommend that this construction be used

to protect important data.

.

**Follow-Ups**:

**References**:

- Prev by Date:
**Re: urandom sufficient for e.g. SSL?** - Next by Date:
**Re: What's wrong with AES?** - Previous by thread:
**ANNOUNCE: "jscryptor: client-side web page encryption" using JavaScript** - Next by thread:
**Re: ANNOUNCE: "jscryptor: client-side web page encryption" using JavaScript** - Index(es):