When I started the crypto-browserify
project it was a simple idea: A pure javascript drop-in replacement for node's crypto
module that would run in the browser. I never really expected that we could get as feature complete as we are now - I can only take a small part of the credit for this.
At the time, getting node's crypto module to work in the browser seemed like the right idea, but in the process, I have learnt a great deal more about cryptography and now I can see we can do much better.
Edit for clarity: crypto-browserify is not the end of the story, I think we need a new project (in a new org) that aims to do bulletproof crypto, with clearly defined properties and no surprising edgecases.
node's crypto
is based on buggy standards - SHA, RSA, AES, TLS are all buggy. SHA1 is now considered to weak to be used in new protocols. SHA256 has length extension bug. RSA is unsafe without padding. AES has many insecure modes! If we are interested in building new cryptosystems (i am) then I do not think we should do so on primitives that you must understand the internal details of to use safely - What we need is a new collection of quality primitives. Hashes without length extension, signing and encrypting where the requirement for a clean nonce or padding is made explicit via the interface. Security properties must be simply stated and clearly documented.
edit for clarity: nacl has solved this problem for the primitives. It's a selection of quality primitives which have the clearest behavior, and are easy to understand with no surprises. This makes protocols built on them is easier to audit. We should use nacl, but build protocols on top of it applying the same philosophy.
Also, building your cryptosystem directly from the primitives is unwise. Even with quality primitives, there are many ways to assemble them, not all safe. Applications often need the same features, secure-channels, authentication, Encrypted storage, asymmetric encryption. These cryptomodules are assembled from the primitives, and likewise, their properties should be simply stated and clearly documented. The design process for a crypto module or protocol should be taken very seriously. Agile does work for crypto. To design a crypto protocol I think you should begin with a survey of prior art, and summarize and document the security properties. This will give you a good idea for the properties that are achiveable, you'll probably think of some new ones too! Document these, and design a protocol that realizes them. Describe the behavior your protocol will have with different kinds of attacks on it. Now you may begin to write code.
Yes, this is basically the waterfall method. Big Design Up Front. However, I am not advocating designing whole systems like this - just modules. What this is really, is a design process optimized for auditability.
I think this should probably be in the form of markdown documents with english descriptions and pseudocode.
A discussion needs to result in a easy to read document - not a back and forth issue discussion (though that is important while producing the document). Also, clear protocol design documents will be useful to developers across languages, not just javascript.
To give a concrete example of the kind of design process I am advocating have a look at what I've done here while designing a secure channel protocol: first, revew of prior art: https://github.com/ssbc/scuttlebot/wiki/secure-private-channels:-the-good,-the-bad,-and-the-ugly
then summary of desirable properties: https://github.com/ssbc/scuttlebot/wiki/desirable-properties-for-a-secure-channel then a description of a protocol that meets all those properties https://github.com/ssbc/scuttlebot/wiki/a-secure-secure-channel
Who is with me?
@calvinmetcalf @dcousens @jprichardson @lsegal @kyledrake @wolfeidau @nathan7 @ahdinosaur @substack @hij1nx @ralphtheninja @jbenet @mafintosh