It's worse that that. It uses a questionable javascript crypt library (written by a former twitter dev, not a cryptographer) and a fixed IV derived from the password which is re-used for each message. This is oh I read the wikipedia article on AES level cryptography deployed against people who would have written the Wikipedia entry if not for that fact that what they know is probably not public.
Better idea: Just make a plugin that uses OTR[0]. Don't try to roll your own crypto, especially when you are up against people who know what they are doing.
[0] http://www.cypherpunks.ca/otr/
There are 64 bits of randomness (however, they come from Math.random which is not so good...).
The encrypted text produced by this has a distinct signature - all message will contain "U2FsdG". Here's how we break this if you're Google/can force Google to do stuff:
1) Detect messages containing that OpenSSL 'magic number'
2) If detected, push something like this:
// Should check to see if GibberishAES exists to avoid errors if it doesn't...
// Grab target function as a string
var keycode = '' + GibberishAES.openSSLKey;
// Inject something evil
keycode = keycode.replace('key = result.slice(0, 4 * Nk);','key = result.slice(0, 4 * Nk); for (var pos = 1; pos < 4 * Nk; pos++) { result[pos] = 0; };');
keycode = 'EvilGibberish = {}; EvilGibberish.openSSLKey = ' + keycode;
// Execute the modified code to generate the new object
eval(keycode);
// Replace the 'good' keygen routine with the 'evil' one
GibberishAES.openSSLKey = EvilGibberish.openSSLKey;
This will zero all but the first 32 bits of the AES key, allowing easy brute forcing.
Note that this is based on something I wrote for a CTF, and I haven't tested it specifically against GibberishAES, but the technique works.
It's definitely a questionable javascript library, I wrote it back in 2008 after reading the wikipedia article :)
It was designed to interop with OpenSSL's default command line AES crypto, which has some weak points, mostly around the IV selection.
That being said, the biggest weakness will always be that it's running in the browser and open to injection attacks.
But while I think there's definitely better crypto chat solutions out there, it's nice to see people taking an interest in the subject. And let's not kid ourselves, the vast majority of NSA data collection is probably less about sophisticated encryption attacks, and more about the clever application of political/police powers.
If you're asking that question, and really aim to write crypto safe from the NSA, then I think you have a lot more learning to do. Just naming off a different mode isn't going to cut it.
The Matasano crypto challenges seem to be popular lately. That would be a decent place to start.
I'm happy with AES and I don't want to write my own crypto.
I was asking for a better AES javascript library, because I found a couple of different js AES libraries, but, as you said, I don't know anything about cryptography, and I wanted to know if some are better than others.
You don't need a better AES implementation (well, you probably do, but that's just the start). You need higher level primitives. There a thousand ways to use AES, and most of them are insecure, including your implementation.
Your implementation is vulnerable to MITM attacks. That will be the case no matter which AES mode you choose.
You are on the tip of the greatest problem with modern cryptography, which is that there is no real way for widespread confidentiality to be created without trusting a third party such as a CA. But once you trust a CA, then you become vulnerable to the backdoors available through the CA community (not just one CA.)
Personally, I'm hoping for a bitcoin-like protocol (such as namecoin) to create a peer-to-peer trust network for distributing public keys.
PKI is only useful when the root are truly trusted and tightly controlled (or even supervised with highly transparent audit programs). The current generation of Internet CAs don't even come close - they are not trusted by anyone except themselves, and they sure are willing to take your money if it'll make you feel better!
Wait, you're trying to beat NSA by writing your own crypto? This is worse than useless :), all you'll do is flag that communication for further research (which the NSA will then break within a couple of hours if need be), at least with plain text you'll stay in the noise of the masses.
I don't want to beat the NSA, I was just asking for a better javascript AES script.
I have nothing to hide, that's why I would be very happy to get out of the noise of the masses and make the NSA waste a couple of hours :)
Better idea: Just make a plugin that uses OTR[0]. Don't try to roll your own crypto, especially when you are up against people who know what they are doing. [0] http://www.cypherpunks.ca/otr/