
Emscripten and ClojureScript: Transpiling to Avoid Rolling Your Own Crypto - squidlogic
https://blog.balboa.io/emscripten.html
======
barkingcat
I think this is counterproductive - transpiling and relying on emscripten to
be cryptographically secure in not changing your code is the very definition
of rolling your own crypto. How do you know that you're compiling the right
things to js?

The post says they've taken a cursory look at emscripten to make sure it
doesn't have "timing attacks" in one short sentence. This is exactly the kind
of verification that requires an experienced and professional cryptanalyst to
audit, examine, and finally confirm that emscripten -> js indeed doesn't
expose the cryptographic algorithms to side channel attacks, or add additional
weaknesses to the cryptography.

If the authors of the original post are not cryptographically confident enough
to "roll their own crypto" how can they verify that their tool chain is
secure?

Don't roll your own crypto, especially in using tools that haven't been
verified to be used in crypto by cryptanalysis.

~~~
hackcasual
You're already running in a JIT/interpreted VM, timing attacks will be
something that can't really be worked around.

------
tptacek
It is super weird to see new code using Skein; doing that almost by definition
implies you're rolling your own crypto (which has more to do with how you
connect crypto primitives than which primitives you choose), but it's never
made clear in this post exactly what they're doing with it.

~~~
dchest
From
[https://www.balboa.io/security.html](https://www.balboa.io/security.html):

"Skein-1024-CTR, with Skein-1024 as an HMAC in an encrypt-then-mac scheme"

I guess Skein-CTR is based on "Skein as a Stream Cipher" section from the
spec.

[https://github.com/pkcsecurity/trabant/blob/master/pkc_skein...](https://github.com/pkcsecurity/trabant/blob/master/pkc_skein.c#L52)

From homepage: "We use 1024-bit symmetric key encryption, a stronger level of
encryption than most industry standards."

I guess the reason for using Skein is so that they can use this bullshit
marketing :)

~~~
tptacek
Skein HMAC? Why? Skein was designed not to need the HMAC construction.

~~~
dchest
It looks like they are actually using keyed Skein and call it HMAC

[https://github.com/pkcsecurity/trabant/blob/master/pkc_skein...](https://github.com/pkcsecurity/trabant/blob/master/pkc_skein.c#L74)

------
ff_
Any reason for not to use the WebCryptoAPIs?

[https://developer.mozilla.org/en-
US/docs/Web/API/Web_Crypto_...](https://developer.mozilla.org/en-
US/docs/Web/API/Web_Crypto_API)

------
picardo
Whoever made this website has never heard of "Never break the back button"
rule. They literally rewrite my history with every click.

~~~
TazeTSchnitzel
I guess they're using history.replaceState() when they meant to use
history.pushState().

------
jandrese
I had to double check to make sure this article wasn't some Markov chain troll
article.

------
lordofmoria
For reference, an open source library using a similar approach (crytpo +
asm.js):
[https://github.com/vibornoff/asmcrypto.js/](https://github.com/vibornoff/asmcrypto.js/)

Looks like the asmcrypto's speed boosts are pretty high relative to SJCL and
CryptoJS. Granted, this article's approach is transpiles C->JS, not sure what
the implications are there in terms of performance.

------
zubairq
Interesting to see that other projects also consider client side Crypto
possible by calling server side macros. Well done!

This is my project where I do it too :
[https://github.com/zubairq/coils](https://github.com/zubairq/coils)

------
huntaub
A reminder that one of the large issues with running crypto on the client is
that you lose important timing information (due to the JS VM).

------
norswap
I wonder if many of our security issues are not due to poorly written
software, and a big part of that is accumulating layers of cruft in exactly
this sort of way.

I would certainly write my own crypto (but not design my own encryption
scheme!) before using such a heavyweight solution. Implementing crypto might
be hard, but common, not harder than building a compiler.

