Welcome to JavaScrypt, the high-security data encryption solution which runs entirely in your Web browser. To use the page, your browser must support JavaScript and you must not have disabled execution of that language. Let's see…
If the box above says “Your browser supports JavaScript”, you're in business.
JavaScrypt runs entirely in your browser—nothing is sent to any Web site when you use it. You can, if you wish, download JavaScrypt to your own computer and use it when not connected to the Internet.
JavaScrypt's encryption facilities use the Advanced Encryption Standard (AES) adopted by the United States as Federal Information Processing Standard 197. AES supports key lengths of 128, 192, and 256 bits; JavaScrypt uses 256 bit keys exclusively.
If you're already familiar with encryption, proceed directly to the pages which implement the various components of JavaScrypt. If you're a newcomer, you may prefer to work through the JavaScrypt Tutorial, which demonstrates how they're used.
At first glance, JavaScript may seem an odd choice for implementing encryption. These programs are rather large and complicated, and downloading and running them them takes longer than would be required for a Java applet or to access a CGI program on a Web server. I chose JavaScript for two reasons: security and transparency.
Security. The sole reason for encryption is to protect privacy. This means the process cannot involve any link whose security is suspect. If messages were encrypted by a Web server, they would have to pass over the Internet, where any intermediate site might intercept them. Even if some mechanism such as secure HTTP could absolutely prevent the data's being intercepted, you'd still have no way to be sure the site which performed the encryption didn't keep a copy in a file, conveniently tagged with your Internet address.
In order to have any degree of security, it is essential that all processing be done on your computer, without involving any transmission or interaction with other sites on the Internet. A Web browser with JavaScript makes this possible, since the programs embedded in these pages run entirely on your own computer and do not transmit anything over the Internet. Output appears only in text boxes, allowing you to cut and paste it to another application. From there on, security is up to you.
Security is never absolute. Data encrypted with these pages might be compromised in a variety of ways, including but not limited to the following:
Your Web browser and/or JavaScript interpreter may contain bugs or deliberate security violations which report activity on your computer back to some other Internet site.
Some other applet running on another page in your browser, perhaps without your being aware of its existence, is spying on other windows.
Some other “spyware” application running on your computer may have compromised your system's security and be snooping on your activity.
Your Web browser may be keeping a “history log” or “cache” of data you generate. Somebody may come along later and recover a copy of your data from that log.
The implementation of these pages may contain a bug or deliberate error which makes its results insecure. This is why transparency, discussed below, is essential.
Your computer's security may have been compromised physically; when's the last time you checked that a bug that transmits your keystrokes and/or screen contents to that white van parked down the street wasn't lurking inside your computer cabinet?
One can whip oneself into a fine fever of paranoia worrying about things like this. One way to rule out the most probable risks is to download a copy of these pages and the JavaScript programs they reference and run it from a “file:” URL on a computer with no network connection whatsoever located in secure premises under your control. And look very carefully at any files created by your Web browser. You may find the most interesting things squirreled away there….
Transparency. Any security-related tool is only as good as its design and implementation. Transparency means that, in essence, all the moving parts are visible so you can judge for yourself whether the tool merits your confidence. In the case of a program, this means that complete source code must be available, and that you can verify that the program you're running corresponds to the source code provided.
The very nature of JavaScript achieves this transparency. The programs are embedded into the Web pages you interact with; to examine them you need only use your browser's “View Source” facility, or save the page into a file on your computer and read it with a text editor; any JavaScript components the pages reference can be similarly downloaded and examined in source code form. JavaScript's being an interpreted language eliminates the risk of your running a program different from the purported source code: with an interpreted language what you read is what you run.
Transparency is important even if you don't know enough about programming or security to determine whether the programs contain any flaws. The very fact that they can be examined by anybody allows those with the required expertise to pass judgment, and you can form your own conclusions based on their analysis.
The JavaScript implementation of the AES (Rijndael) encryption algorithm was developed by Fritz Schneider; it has been modified slightly for use in JavaScrypt but produces output identical to the reference implementation.
The JavaScript implementation of the MD5 message-digest algorithm was developed by Henri Torgemane; please view the source code file md5.js to examine the code, including the copyright notice and conditions of use. The MD5 algorithm was developed by Ron Rivest.
The JavaScript implementation of the SHA-2 hash functions SHA-224 and SHA-256 is by Chen, Yi-Cyuan and released under the MIT License, which is included in the source code file sha256.js. The original code is available on GitHub.
This page allows you to encrypt text with a specified key, yielding an encoded message, and decode encrypted messages, recovering the original text. All encryption is performed entirely within your Web browser using the JavaScript language (which, obviously, must be enabled in order to use this page).Nothing is sent to any Web site when you encrypt or decrypt a message! You can, if you wish, download a copy of this page and the JavaScript programs it includes to your own computer and use it even when you're not connected to the Internet. (For this purpose, you may prefer the monolithic “lean” versionwith documentation removed and all JavaScript programs embedded into a single Web page.)
Enter the key to be used to encrypt or decrypt the data in the field below. If Text is checked, the key may consist of any sequence of up to 1024 characters; for maximum security, if the key consists of a sequence of words (many people find it easier to remember a phrase instead of a random sequence of characters), it should be at least 60 characters in length. If Hexadecimal is checked, the key is given as a sequence of hexadecimal digits: 0–9, a–f (or A–F), which should be 32 bytes (64 hexadecimal digits) in length for maximum security. The Generate button may be used to create a key in either text or hexadecimal format (depending on which button is checked) sufficiently long to provide maximum security using a high quality pseudorandom number generator seeded from the time the page was loaded, the time you pressed the Generate button, and the time of keystrokes and various other events since the page was loaded. You can generate lists of keys suitable for exchanging with correspondents using our companion Pass Phrase Generator page.
Text Hexadecimal
Enter or paste the text to be encrypted into the following box. If you wish to encrypt a binary file (for example, an image or an audio file), use a utility likeBase64 to encode it as text before encryption. Press the Encrypt button to encrypt the text with the above key; the encrypted text will be placed in the Cipher Text box, encoded as text with the Encoding you've selected. If you prefer to camouflage your message as (nonsense) English text, first encrypt it in any of the encodings, then select, copy, and paste the text into our Steganography (hidden writing) page.
Encoding: Codegroup Hexadecimal Base 64
To decrypt an enciphered message, paste it in the box below, enter the key with which it was encrypted in the Key box at the top, and press the Decryptbutton. The decrypted text will be placed in the Plain Text box above. Text before and after the encrypted message is ignored, and the encoding used by the message is determined automatically. You can decrypt only one message at a time; if more than one encrypted message is pasted into the box below, only the first will be decrypted.