dokucrypt

dokucrypt is a client side (javascript) cryptography plugin. This plugins allows a user to store and access sensitive data in a dokuwiki. All sensitive data is encrypted before it is submitted and decrypted on the clients machine. A users' sensitive data will only be accessible when viewed with a javascript enabled browser and the proper pass phrase. It will never be transmitted or stored in plain text.

The Javascrypt (http://www.fourmilab.ch/javascrypt/) library is used for encryption and decryption to provide 256 Bit AES encryption.

Usage

Entering Encrypted Data

In order to encrypt some sensitive data, the user needs to add text like the following

Hi world.  I have a secret.  Can you read it?
< SECRET>I like ice cream< /SECRET>
  • Note: the space before 'SECRET' must be removed

When the user hits 'Save' (or a draft is attempted to be saved) a prompt will open, asking the user to enter a pass phrase key for the encryption. Once supplied, the encryption will be done in the browser and the encrypted text submitted to the server.

Viewing Encrypted Data

When the page is viewed, the user will see the encrypted text and a link 'Decrypt Encrypted Text' will appear which will prompt the user for a password and decrypt the text (see the example below).

The encrypted text is compatible with javascrypt decryption (http://www.fourmilab.ch/javascrypt/jscrypt.html).

To view the secret text in the example below, use 'secret' as the pass phrase.

Example Encrypted Text

Hi world. I have a secret. Can you read it? Decrypt Encrypted Text[Toggle Visible]

#####  Encrypted: decrypt with http://www.fourmilab.ch/javascrypt/
?b64Py5y9JZMVa728IXwqaBh+f9Tbz9jP9OvCY2UdexIz5i6bLRsCOF2IA9qECpp
Bc6oY+BAihtLdzyrtQA3x6yrxg==?64b
#####  End encrypted message

You can see a clipped screenshot here.

Editing Encrypted Data

To edit the encrypted data, the user needs to Edit the wiki page. When first loaded, encrypted text will appear encrypted, surrounded by <ENCRYPTED> and </ENCRYPTED> tags. To edit this text, the user needs to press the 'DecryptSecret' button between 'Save' and 'Preview', and supply the correct pass phrase. The encrypted text will be decrypted to the 'SECRET' form showed above, and the use can edit in plaintext. Submits or drafts will be encrypted before submission with the same pass phrase supplied.

Installation

To install, simply extract the archive in the 'lib/plugins' directory under your dokuwiki installation and rename the 'crypt-X.Y' directory to 'crypt' (or replace an older version).

$ cd path/to/wiki/root/lib/plugins
$ tar xvzf ~/dl/crypt-plugin-0.29.1.tar.gz
$ mv crypt-0.29.1 crypt

Releases

0.29.1 : security: fix Cross-site_scripting vulerability (2009/02/17)

  • Previous versions of dokucrypt are vulnerable to a cross site scripting attack. Anything included between <ENCRYPTED> and </ENCRYPTED> was not escaped and could then include javascript or other html.
  • Download
  • Note: This version is known to be incompatible with 2009-12-02 release of docuwiki. I would like to release a version for 2009-12-02, but haven't found time to do so. Patches are definitely accepted.

0.29 : add 'Toggle Visible' (2008/11/03)

  • Adds the “Toggle Visible” option. This adds a link to hide/unhide an encrypted element (so the user doesn't have to see the encrypted data). This is less tested than other releases, but generally works for me. To specify if element is collapsed or expanded by default, add the 'COLLAPSED=“1”' entry to the SECRET or LOCK tag.
  • Download crypt-plugin-0.29.tar.gz (2889e7f9d1773613e36478ae7d839ea5)

0.2 : Fix IE (2008/01/03)

  • IE should now work (version 6 and 7 tested). Thanks to Michael Lapointe.
  • Download crypt-plugin-0.2.tar.gz (a22201ec7a69f48c05303a5b9b38481c)

0.1 : First Release

Bugs

  • Does not work with Internet Explorer (IE). (version .2 fixes IE)

ToDo

  • Replace 'prompt' with customized/prettier one from http://javascript.internet.com/text-effects/customizable-javascript-prompt.html . This would allow to use a Password box and not display password as it is typed.
  • Better “blocking” for encodeForSubmit, possibly using settimeout
  • Add a Button in the edit toolbar for 'Secret'
  • Offer more standard JavaScrypt page form
  • recognize case insensitivity of SECRET ENCRYPTED and LOCK keywords.
  • do not attempt to encrypt a SECRET tag that is between a 'nowiki' or 'code' or %% tags.

Implementation Notes

In order to add this functionality, some hacks were needed.

  • 'onsubmit' encryption of the text area is used to encrypt the data before submission via draft or 'Save', or 'Preview'. In order to avoid risk of that data being submitted without this encryption taking place, some measures had to be taken. On load, the edit text area is moved out of the FORM, and replaced with an identically named HIDDEN form element. On submit, the text area data is encrypted and the encrypted text is stored in the hidden field.

In order for this hack to be avoided, two things would be needed, these would be difficult to do well in a no-javascript-available environment.

  • an extensible 'addSubmitEvent' function would be needed in dokuwiki similar to addInitEvent
  • some sync-to-real-submit mechanism would would need to be done before submission.

About

  • Dokucrypt is created by me, Scott Moser. I hope you find it generally useful and relatively bug free. Please feel free to contact me at Scott Moser smoser-nospam-@brickies-nospam-.net. (remove the -nospam- to get email address).
 
dokucrypt/start.txt · Last modified: 2010/01/04 06:22 by smoser
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki