DesCrypt
DesCrypt provides client-side DES and 3DES encryption support for PmWiki.
Version 0.1
Why?
Like most people, in addition to using PmWiki for public uses I also use it as personal scratch space and a memory dump. Over time I found myself starting to use it to store information that I'd rather other people not see; website passwords, financial information, etc. PmWiki.Passwords, .htaccess files, and https are great for keeping web surfers out of my stuff, but what if my sever was compromised or my admin turned rogue? In that case all my info was sitting in flat files easily copied and read.
How?
Client-side DES encryption implemented in Javascript provides a method of (en|de)crypting data with out the plain text data or passwords ever landing on the remote server.
Extract the file :des-0.1.tgzΔ into pmwiki. It should contain the files:
- pmwiki/cookbook/des.php
- pmwiki/pub/descrypt/des.js
And add the lines:
## des.php loads descrypt loads a module that provides client-side encryption
- include_once('cookbook/des.php');
to pmwiki/local/config.php
This will add a button to the top of the edit text box labeled "DESCRYPT". Set up your edit text like this:
This is some text. This is some text. (:descrypt:) [= Encrypt this text =] But not this text (:descrypt:) [= Encrypt this as well =]
And then before pressing "Save" or "Preview" press "DESCRYPT". This will prompt for a password and then change the markup to (:descrypted:). You may now click "Save". In standard viewing your encrypted text will show as a link that, when clicked, prompts for a decrypt password.
Encryption Strength
The DES protocol for encryption has been compromised through brute force attacks over time (though more on the scale of server cluster, than fast desktop) and the 3DES method was provided as a stop gap solution to increase protection. Even still DES should provide ample protection from all but the most serious attempts to crack.
DesCrypt uses password length to determine whether DES or 3DES is to be performed. 8 character passwords use DES and 24 character passwords perform 3DES.
Vulnerabilities
DesCrypt protects the data stored on the web server from being directly read. Anyone with access to the PmWiki files could easily change the des.js file to transmit passwords or data back to the server, compromising the data. Further, DesCrypt provides no protection from a client machine or browser that has been previously compromised.
Limitations
- Only tested under Firefox 1.0 on WinXp, Mozilla 1.7.2 [ok]
- and no promises that your data wont be forever lost, this is alpha code {works for me - csc}
Todo, Bugs
- Add IE support - if it doesn't already work (MSIE5.0: incompatible js -pog)
- minor bug: (Moz. 1.72) uncrypt-link is only generated when (:descrypted:) on col1 unlike:
foo (:descrypted:) [= 0x2ba0c46e21296d43047452ea9deb1bdb =] - wikifarm: adjustment in: dec.php line 13: place of js!
See Also
- WikiSh gives an alternate approach to encryption/decryption. It depends on the mcrypt extension to PHP. It allows encryption/decryption of any page or file to which WikiSh has read/write access. (Other text can be encrypted/decrypted as well - it is in-memory-text based rather than file- or page-based -- the file/page capabilities come as a side effect of the WikiSh file/page capabilities.)
- EditCrypt is based on the underlying WikiSh and WikiShCrypt capabilities but gives a more user-friendly, form-based approach. It includes capabilities to encrypt and decrypt entire pages using any of the algorithms supported by MCRYPT. Encryption/Decryption is done in the EditForm and also provides a markup for encrypted pages to be decrypted "on-the-fly" (in-memory only) for viewing.
Contributor
DesCrypt is based on the encryption work and functions provided by Paul Tero http://www.tero.co.uk/des/index.php
Comments
See discussion at DesCrypt-Talk
User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.