Secure Javascript Encryption Library?

I'm searching a javascript library that offers secure encryption. The client has to generate a key and all data uploaded to the server is encrypted, all data downloaded is decrypte

Solution 1:

Short answer I'm afraid this is not impossible.

Long answer Because you cannot guarantee the integrity of the Javascript library, you cannot rely on it doing what you expect it to do. As a result, you cannot guarantee any security.

This issue has been discussed extensively and always end in the same conclusion: Without any two-way authentication and secure channel, your client has no method of verifying the correctness of the library. If any man-in-the-middle changed the crypto routines, your client would not know, let alone that you would ever find out.

So, to guarantee security, you will need SSL and client certificates.

Solution 2:

Appart from CCM as deployed by SJCL is a stream cipher mode, I would take a careful look at it and not just look at the convenience wrappers. It's open source, so somewhere there should be the implementation of the raw cipher anyway.

Note that this is not code that should be ultimately trusted. When I tried to program a Java wrapper for it I quickly found an error that authentication failed. Seems like the convenience library did not authenticate the associated authentication data at all. As it isn't tested with other libraries, I would urge you to take care there aren't some left over bugs present.

Solution 3:

Is there any reason why you need to push to an untrusted server from your client?

If the server that is delivering your website is trusted, then you should be able to post your data back to the trusted server, have the trusted server encrypt, and then the trusted server can send the data to the untrusted server for storage.