Skip to main content

Encryption details

For encryption/decryption AES in CCM-mode is used. The key is generated via Pbkdf2 from the passphrase.

The encryption/decryption is completely done on the client side in javascript. We are using the Stanford Javascript Crypto Library (SJCL). This way even the server administrator does not even have access to blog's content (posts, comments, images).

You may want to visit the excellent SJCL demo to play around with the encryption algorithm.

Default encryption parameters:

  • cipher: aes
  • mode: ccm
  • salt-size: 8 bytes
  • tag-size: 8 bytes
  • mac-size: 8 bytes
  • PBKDF2 with HMAC/SHA256 and 1000 iterations

Encryption and decryption of posts and comments

Beside the browser based javascript variant it is also possible to to write a client in neary any other programming language. For demonstration purposes we chose python.

Get the python-sjcl source from github:
https://github.com/elastic/sjcl

For the complelete core functionality the pycrypto cryptography toolkit is used. At the time of development a special git branch for ccm support (variant of AES) was needed:

git clone -b ccm git://github.com/Legrandin/pycrypto.git .

There is a nice introduction into cryptography using pycrypto: Symmetric Encryption with PyCrypto (part2, part3)

Python example application: backup_cryptedblog.py

As a demonstration for both, the API and the cryptography a small backup application is available as part of python-sjcl:
https://github.com//elastic/sjcl/tree/master/examples/backup_cryptedblog.py

You course you may uses this application to backup the content of your blog.

Possible security concerns using browser based cryptography

We do not want to neglect the fact that there are a lot of people who think it's problematic to use cryptography from web based applications.

The main point we see is that the javascript code ia not be cryptographically signed and may be altered by the server admin or on its way trough the internet. The use of HTTPS/SSL may solve the second problem. To solve the first one a non-browser based app is planned.