Wednesday, October 20, 2004


Communication Board

This Blogger scratch board is intended to share all information, questions and experiences concerning JavaSript SDA.

JavaScript SDA is a smart tool that protects private data in a public web. So only the authorized user (or a group of individuals) has access to these information simply by a web browser with knowledge of a passphrase. See the whole description on

Your thoughts are appreciated, please press "comments" below.

Well, I think your simple shift-registers could be cracked easyly with enough calculation power, e.g. by one of the agencies.

I adapted the Javascript SDA for ActionScript.
I couldn't realize the encryption/decryption of special characters directly. I have to escape my strings.

Anyway - it works great.

Thank you for inspiration.

Enrico Thies
Hi Anonymous,

> Well, I think your simple shift-registers could be cracked easyly
> with enough calculation power, e.g. by one of the agencies.

If this makes somebody then he should also get it!

Every random sequence has an information of "only" 128 bit. That means, if someone can guess at least 18 continuous characters of the plaintext at the right position, then he can also reconstruct the rest. But I don't know how.

It seems not to be feasible with today's possibilities to check all keys (Brute Force). Consider that e.g. the Japanese Earth Simulator would take much more time than the universe exists.

But the registers are too short to be really safe. It might be endangered by future technologies like quantum computing.

I would mention neither the technical safety nor the question "Takes it 10 million or 10 billion times the age of the universe?" is the point. It is the handling at all.

And what helps if the competent receiver has the absolute safety (like quantum cryptography promises) and he is tormented to betray the key?

Hi Enrico,

thanks. Do you have finished your flash application? Can we have a look?

it would be nice if the javascript could transmit the output by email to somebody

it would be nice if the output could include a prompt message before the passphrase box
eg. please input your project number

alan ( 1234)
Hi Alan,

the same idea was suggested by Paul Johnston several month ago but nobody has implemented it.

Apart from the needed effort such a project would take to develop, I think there are other reasons too not to do so:

1. If a server should encrypt and send the mail for you then you must hand over your plaintext. One advantage of SDA would become void. And how can you trust the server or it's personnel?

2. Sending a SDA as email is not the best idea. First the receiver's mail tool must be capable to expand it or at least link it to the browser. Second someone could send you a spoofed javascript mail which looks like a SDA but really it phishes your passphrase. There is not much which could be done against this!
Therefore I prefer a private web space (protected by user and password) as repository for the SDA. And sometimes one can change these web position like others change their transmission frequency.

Please explain how to use this script ( with unicode
Hi Anonymous,

> Please explain how to use this script with unicode

Sorry, the script is designed for native 7-bit-ASCII code only. This guarantees a maximum of compatibility. But your 7-bit-ASCII textfile that you want to be encrypted can contain html-code and with this every defined unicode character, e.g. '&'#8727; is an asteriskus.

Please compare the second example in
(After decryption show page source.)

Is this script of yours a universal encoding tool, or is it 'home made'?

I was thinking of building a site with an encrypted database, which decrypts on the server with a master key, then encrypts again with the user key, to send the content to the client. At the clinet I'll javascript decrypt on the client side. Therefore, only the owner of the master, or the user phrase can review the data.
But to implement this, I need various implimentations of the same encrypting/decrypting algorhythm, for example javascript ánd ASP (or PHP). Is yours one of those? Or do you know a similar server-side implimentation?
Hi Daniel,
no, no standard encryption algorithm. But be aware that in JavaScript there is not all time of the world. The algorithm must be short and fast.
For your server task I cannot help. This JavaScript SDA is as it is. It runs only on clients.
You can take it if you want, but don't remove the copyright notice.
Caution, don't change the algorithm. It would hit security in a way you cannot estimate.

Hi! (Yes, I realise there's a substantial time difference here ... hopefully this is still maintained?)

This is a really sweet project, and seeing that you gave permission for use of your script, I thought I could meet the needs of people that don't have web space of their own. Having some time on my hands, I went ahead and put this together:
Just thought I'd let you know. If anyone has suggestions, let me know, although I can't necessarily promise enough time to actually do something about them - but I'll at least try.
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?