How is the key being stored? What would make sense to me is that the key is given in in the URL as a query parameter, so that it is not actually stored anywhere on the server side. But that doesn't look to be the case.
> We use AES encryption with a 4096-bit key.
I have never heard of 4096-bit AES. Typically the expert opinion I have heard on AES key lengths is that 128-bit is enough and that 256-bit is overkill reserved for the paranoid.
I don't mean to imply that this tool is "snake oil"--just that "4096-bit AES" is not a good look in light of the above advice from a highly respected cryptographer.
(On the other hand, 4096-bit keys are often used with RSA. But that is a different kind of algorithm with a different purpose.)
I really appreciate your feedback!
- Yes, I think have the key in the URL makes total sense. It is something I'm working on.
- This key is stored in an env variable and hosted on Vercel, and it was generated by "crypto-js" package.
- You can see the code here: https://github.com/BrunoQuaresma/onetimemessage.app/blob/mai...
- Thanks for sharing the article, really good one.
[+] [-] ttgurney|3 years ago|reply
How is the key being stored? What would make sense to me is that the key is given in in the URL as a query parameter, so that it is not actually stored anywhere on the server side. But that doesn't look to be the case.
> We use AES encryption with a 4096-bit key.
I have never heard of 4096-bit AES. Typically the expert opinion I have heard on AES key lengths is that 128-bit is enough and that 256-bit is overkill reserved for the paranoid.
I am reminded of Bruce Schneier's warning sign #5 of cryptographic snake oil: ridiculous key lengths: https://www.schneier.com/crypto-gram/archives/1999/0215.html...
I don't mean to imply that this tool is "snake oil"--just that "4096-bit AES" is not a good look in light of the above advice from a highly respected cryptographer.
(On the other hand, 4096-bit keys are often used with RSA. But that is a different kind of algorithm with a different purpose.)
[+] [-] bquaresma|3 years ago|reply
[+] [-] bquaresma|3 years ago|reply