Practical cryptography

FYI, I’m on vacation in Costa Rica, so this is the last [email protected] of 2015. Pura vida mae!

It’s holiday season and my family & friends keep asking for my mailing address. Frankly, I’m surprised holiday cards are still a thing. (My parents declared holiday card/newsletter bankruptcy decades ago.) Save a tree and send me an email with funny gifs instead.

I briefly considered posting my address on my website, but I didn’t want tons of spam. So, I needed a way to put it online and restrict access to people who actually know me.

I figure that if you can spell my middle name and you know my phone number, you can probably figure out or socially engineer my mailing address. So, here’s what I came up with. I call it Cryptopostal:

How it works

While it’s trivial to create a web form that reveals something, securing it is not. A simple show/hide is insufficient, because the “hidden info” is stored as plaintext in the source code. A secure alternative would be a database lookup using name & phone as the login credentials, but that’s a colossal waste of resources for this application.

The answer is crypto. By encrypting my address, I can store it in the source code, and decrypt it locally whenever a visitor provides the proper answers. It’s 100% static and supes elegant.

I looked at a bunch of cryptography libraries, but I chose the Stanford University Crypto Library (SJCL) because it’s small, maintained, works locally in the browser & in node, and it has a super simple API.

How simple? This simple:

```javascript // encrypt data var e = sjcl.encrypt(“passphrase”, “secret message”)

//decrypt data var d = sjcl.decrypt(“passphrase”, e) ```

Using the correct answers (name + phone) as my passphrase, I encrypted three strings and stored them as JavaScript variables:

Whenever a visitor submits the form, a script does the following:

As you can see in my 80s inspired demo, it’s pretty neat.

Roll your own

I wrote a node package that will generate a Cryptopostal page for you:

  1. Clone the repo
  2. Run npm install
  3. Edit variables in index.js (name, avatar, q1, q2, pass, d1, d2, d3)
  4. Run node index.js to update index.html
  5. Upload index.html & all the css/js/image assets to you web host. Do not upload index.js.
Comments :)
2017 Neal Shyam