[cryptography] Introducing SC4 -- feedback appreciated

Ron Garret ron at flownet.com
Fri Apr 17 13:56:01 EDT 2015

TL;DR: I took tweet-NaCl-JS and wrapped a little PGP-like webapp around it.  I would like to solicit feedback and code review from this community before I submit it for a formal audit and release it to the general public.


Source code: https://github.com/Spark-Innovations/SC4

Live demo: https://sc4.us/sc4.html

FAQ for experts: http://sc4.us/expert_faq.html

FAQ for non-experts: http://sc4.us/regular_faq.html

Note that the FAQ links are not secure.  This will be fixed eventually.  The production push process is a work-in-progress.

Unique features of SC4:

1.  It is a standalone web application.  The server only serves static files.  You can even run SC4 from a FILE: URL, though this requires the keys to be embedded in the code.  SC4 includes code to automatically generate a standalone version.  This is mainly intended to be a proof-of-concept, but it does work.

2.  It’s tiny, and therefore easy to audit.  It consists of three standard libraries (tweet-NaCl, jQuery, and purify) plus <1000 lines of additional code, and that includes the HTML and CSS.

3.  It runs in FF, Chrome and Safari.  It might even run in IE but I haven’t tried it.

SC4 aims for a point in the design space that balances security against ease of use.  PGP is bullet-proof, but not widely deployed because there is a lot of friction in getting it up and running.  SC4 aims to eliminate this friction while remaining reasonably secure.  It is also based on open standards so that more secure implementations can be easily produced in the future.  (Part of my long-term plan is to build an HSM dongle using a Teensy 3 board.)

Feedback and constructive criticism much appreciated.  Also, I’m seeking someone to serve as a paid consultant on this project.  If you’re interested please contact me off-line.  My SC4 key is:

X-sc4-content-type: public-key
From: ron at spark-innovations.com
Timestamp: Fri, 17 Apr 2015 17:40:56 GMT
---END KEY---

Ron Garret

More information about the cryptography mailing list