JavaScrypt: Browser-Based Cryptography Tools


Welcome to JavaScrypt, the high-security data encryption solution which runs entirely in your Web browser. To use the page, your browser must support JavaScript and you must not have disabled execution of that language. Let's see…

If the box above says “Your browser supports JavaScript”, you're in business.

JavaScrypt runs entirely in your browser—nothing is sent to any Web site when you use it. You can, if you wish, download JavaScrypt to your own computer and use it when not connected to the Internet.

JavaScrypt's encryption facilities use the Advanced Encryption Standard (AES) adopted by the United States as Federal Information Processing Standard 197. AES supports key lengths of 128, 192, and 256 bits; JavaScrypt uses 256 bit keys exclusively.

If you're already familiar with encryption, proceed directly to the pages which implement the various components of JavaScrypt. If you're a newcomer, you may prefer to work through the JavaScrypt Tutorial, which demonstrates how they're used.

JavaScrypt Components

Why Encrypt with JavaScript?

At first glance, JavaScript may seem an odd choice for implementing encryption. These programs are rather large and complicated, and downloading and running them them takes longer than would be required for a Java applet or to access a CGI program on a Web server. I chose JavaScript for two reasons: security and transparency.

Security.   The sole reason for encryption is to protect privacy. This means the process cannot involve any link whose security is suspect. If messages were encrypted by a Web server, they would have to pass over the Internet, where any intermediate site might intercept them. Even if some mechanism such as secure HTTP could absolutely prevent the data's being intercepted, you'd still have no way to be sure the site which performed the encryption didn't keep a copy in a file, conveniently tagged with your Internet address.

In order to have any degree of security, it is essential that all processing be done on your computer, without involving any transmission or interaction with other sites on the Internet. A Web browser with JavaScript makes this possible, since the programs embedded in these pages run entirely on your own computer and do not transmit anything over the Internet. Output appears only in text boxes, allowing you to cut and paste it to another application. From there on, security is up to you.

Security is never absolute. Data encrypted with these pages might be compromised in a variety of ways, including but not limited to the following:

One can whip oneself into a fine fever of paranoia worrying about things like this. One way to rule out the most probable risks is to download a copy of these pages and the JavaScript programs they reference and run it from a “file:” URL on a computer with no network connection whatsoever located in secure premises under your control. And look very carefully at any files created by your Web browser. You may find the most interesting things squirreled away there….

Transparency.   Any security-related tool is only as good as its design and implementation. Transparency means that, in essence, all the moving parts are visible so you can judge for yourself whether the tool merits your confidence. In the case of a program, this means that complete source code must be available, and that you can verify that the program you're running corresponds to the source code provided.

The very nature of JavaScript achieves this transparency. The programs are embedded into the Web pages you interact with; to examine them you need only use your browser's “View Source” facility, or save the page into a file on your computer and read it with a text editor; any JavaScript components the pages reference can be similarly downloaded and examined in source code form. JavaScript's being an interpreted language eliminates the risk of your running a program different from the purported source code: with an interpreted language what you read is what you run.

Transparency is important even if you don't know enough about programming or security to determine whether the programs contain any flaws. The very fact that they can be examined by anybody allows those with the required expertise to pass judgment, and you can form your own conclusions based on their analysis.

Acknowledgments

The JavaScript implementation of the AES (Rijndael) encryption algorithm was developed by Fritz Schneider; it has been modified slightly for use in JavaScrypt but produces output identical to the reference implementation.

The JavaScript implementation of the MD5 message-digest algorithm was developed by Henri Torgemane; please view the source code file md5.js to examine the code, including the copyright notice and conditions of use. The MD5 algorithm was developed by Ron Rivest.

The JavaScript implementation of the SHA-2 hash functions SHA-224 and SHA-256 is by Chen, Yi-Cyuan and released under the MIT License, which is included in the source code file sha256.js. The original code is available on GitHub.


This document is in the public domain.