Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Short security review results May 2018 #719

toberndo opened this issue Jun 15, 2018 · 3 comments


None yet
4 participants
Copy link

commented Jun 15, 2018

In the course of the project we have initiated an audit of the OpenPGP.js code base which was conducted by Cure53.
This was only a short security review without final report, still I think it is interesting to share the assessement of Cure53 on features newly implemented in OpenPGP.js v3.

Coverage of the audit:

  • AEAD encrypted packets
  • CMAC
  • all cryptographic primitive implementations: AES,
    AES-EAX, AES-GCM, AES-CBC, ED25519, C25519, ECDSA, HMAC, P256, P384,
    P521, SECP256K1.
  • Prime number handling.
  • Date support in signatures.
  • Cryptographic API exposure via different providers.

Feedback from Cure53 team:

Tested cryptographic implementations were top notch and excellent
quality given the platform. The only limitations come from the platform
itself (JavaScript/web), which do not allow for side channel resistance
or reliable constant time operations. Overall however this is an
exceptional library for JavaScript cryptography.

@cure53 please confirm result and please also open a new ticket for the identified issue MV-02-005 (low).


This comment has been minimized.

Copy link

commented Jun 15, 2018

Excellent news


This comment has been minimized.

Copy link

commented Jun 15, 2018

Hi @toberndo, the result is hereby confirmed!


This comment has been minimized.

Copy link

commented Aug 16, 2018

This is great!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.