Switched Encryption Library

Switched from asmCrypto to jscl.

README.md

@@ -7,7 +7,7 @@ This chat application is designed for for use within a web browser and is focuse
 * Secure WebSockets over hitch for secure instant chat.
 * Rooms with multiple users.
     * Persistent chat room messages stored in MySQL if enabled.
-* Client-side[1] encryption with [https://github.com/vibornoff/asmcrypto.js](asmCrypto).
+* Client-side[1] encryption with [http://bitwiseshiftleft.github.io/sjcl/](Stanford Javascript Crypto Library).
 * Current status. e.g. Free, Away, Busy, Idle, ...
 * Slash commands similar to IRC. Implement `CommandPlugin` for custom slash commands. e.g. /help
 * User is typing notification.
@@ -215,6 +215,10 @@ You could even implement a whole slew of admin commands. e.g. `/admin <password>
 
 ## Notes
 
-[1] If you are going to use client-side encryption it is advised to also use SSL. See this article for security risks. <a target="_blank" href="http://matasano.com/articles/javascript-cryptography/">http://matasano.com/articles/javascript-cryptography/</a>.
-
 This application runs on these two official images from Docker Hub: `mysql:5.7` and `ubuntu:18.04`. The web application runs on the default `apache2` package from Ubuntu. See `docker/web-server/Dockerfile` and `docker/chat-server/Dockerfile` for configuration.
+
+The `messages` table `message` column content will be changed soon and will require a migration, however encrypted content cannot be migrated easily. Persistent chat should be used without the intent of long term storage until this work is complete. The migration won't be difficult but will require a bit of work.
+
+## Disclaimer
+
+The author of this software is not a security expert and does not provide any warranty or guarantee that this application is as secure as it can be. Use at your own risk. SSL should always be used. Websockets are encrypted by proxying through `hitch` and chat messages are encrypted in the browser using `jscl.js`. See http://bitwiseshiftleft.github.io/sjcl/ for more information.

html/index.html

@@ -9,6 +9,7 @@
         <link type="text/css" rel="stylesheet" href="css/jquery.jgrowl.min.css" />
         <link type="text/css" rel="stylesheet" href="css/talk2me.css" />
         <link type="text/css" rel="stylesheet" href="js/highlight/styles/atelier-forest.light.css" />
+        <script src="js/sjcl.js"></script>
     </head>
     <body>
         <div class="container">
@@ -107,7 +108,6 @@ <h1><span style="color:#930000">t</span><span style="color:#aa1717">a</span><spa
         <script src="js/bootstrap/3.0.0/js/bootstrap.min.js"></script>
         <script src="js/handlebars.min.js"></script>
         <script src="js/moment.min.js"></script>
-        <script src="js/asmcrypto.min.js"></script>
         <script src="js/config.js"></script>
         <script src="js/tinycon.min.js"></script>
         <script src="js/livequery/jquery.livequery.min.js"></script>

html/js/talk2me.js

@@ -16,7 +16,6 @@
     var conn = null;
     var messagesShown = 0;
     var persistentURLBit = "!";
-    var sharedKey = "talk2me chiquita #94011";
     var linker = new Autolinker({
         newWindow: true,
         stripPrefix: false,
@@ -30,18 +29,6 @@
         return Math.round(Math.random() * (max - min) + min);
     }
 
-    function padRight(str, len) {
-        if (undefined === str || str === null) {
-            return "";
-        } else {
-            var pad = "";
-            for (var i = 0; i < len; i++) {
-                pad += "p";
-            }
-            return str + pad.slice(str.toString().length);
-        }
-    }
-
     Date.prototype.today = function () {
         return (this.getFullYear()) + "-"
                 + (((this.getMonth()+1) < 10) ? "0" : "") + (this.getMonth()+1) + "-"
@@ -397,7 +384,7 @@
                 usekey = true;
                 secret = $("#secret").val();
                 var l = secret.length;
-                if (l < 16 || l > 32) {
+                if (l < 8) {
                     removeErrorMessages();
                     $("#login-form").prepend("<div id=\"error\"></div>");
                     $("#error").addClass("alert alert-warning fade in")
@@ -406,7 +393,6 @@
                             .after("Secret key for client-side encryption must be between 16 and 32 characters.");
                     return false;
                 }
-                secret = padRight(secret, 32);
             } else {
                 usekey = false;
                 secret = "";
@@ -683,9 +669,7 @@
     function encryptMessage(msg) {
         "use strict";
         try {
-            return asmCrypto.bytes_to_base64(asmCrypto.AES_CBC
-                    .encrypt(asmCrypto.string_to_bytes(msg), asmCrypto
-                        .PBKDF2_HMAC_SHA256.bytes(secret, sharedKey, 4096, 16)));
+            return sjcl.encrypt(secret, msg);
         } catch (ex) {
             console.log("Could not encrypt message.");
             return false;
@@ -695,9 +679,7 @@
     function decryptMessage(msg) {
         "use strict";
         try {
-            return asmCrypto.bytes_to_string(asmCrypto.AES_CBC
-                    .decrypt(asmCrypto.base64_to_bytes(msg), asmCrypto
-                        .PBKDF2_HMAC_SHA256.bytes(secret, sharedKey, 4096, 16)));
+            return sjcl.decrypt(secret, msg);
         } catch (ex) {
             console.log("Could not decrypt message.");
             return false;
@@ -787,7 +769,7 @@
 
         $("#secret").on("keyup", function() {
             var l = $("#secret").val().length;
-            if (l >= 16 && l <= 32) {
+            if (l >= 8) {
                 $("#key-length").css("color", "green");
                 $("#key-length").html("Valid key");
             } else {