The Future of File Utilities: encryption, hashing and compression in the browser

I was wondering if the time has come where browser tech is secure and powerful enough to replace some of the niche command line tools that we are used to in Linux. Normally I’d have to download some variant of them on each operating system or device I’m working on. This can get annoying. Some of the most common niche tools are encryption, hashing and compression of files.

Turns out that the browser is more than capable to deliver this funcitonality thanks to some awesome open source projects. Imagine in the future having a plethora of file tools implemented in the browser: file editor, diff, hex dump, hex edit, all kinds of compression, encryption, hashing, search and replace of text and so on. We can potentially pipe the output of these tools to third party APIs to save the files on cloud storage or process them further. This can open a new era for file tools. And the best part is its all cross-platform. The tools can run uniformly on any operating system and any device that supports a major browser.

File Utilities

After my experience with building SecureMyFiles, a client-side encryption product for desktop operating systems, I got curious if we can achieve similar functionality directly in the browser. My main requirement was that all file operations must be performed on the client side with no data being transferred to a server. The idea is to use the bowser as a cross-platform execution engine to run the file utilities on any operating system, including mobile devices. This way we can avoid downloading specialized tools as we move from device to device.

I’ve open sourced the tools on GitHub: https://github.com/stanimirivanovde/browser-power

File Encryption in the Browser

I was able to create an efficient file encryption and decryption utility in the browser that runs completely on the client side. Both encryption and decryption are efficient and run in constant memory achieving 9MB/s. They don’t match the performance of their command-line alternatives but given the fact that they can run on most devices that can run a browser I think it is a good start.

The Javascript library I decieded to use is forge. The need to run with constant memory regardless of the file size requires a cipher that can be updated in chunks. The forge implementation worked quite well. Unfortunately the native Web Crypto API does not support chunked based encryption which was disappointing.

The encryption algorithm I use is AES-GCM with 12 byte IV and 128 bit tag. The key is derived from a password and a randomly generated 128 bit salt passed through PBKDF2 with 100K iterations. The IV is initialized to all 0s (deterministic construction). It is never re-used and each encryption generates a new key. The structure of the encrypted file is:

| 128 bit salt | encrypted file contents | 128 bit tag |

File Encryptor on GitHub: https://stanimirivanovde.github.io/browser-power/encrypt-file.html

File Decryptor on GitHub: https://stanimirivanovde.github.io/browser-power/decrypt-file.html

File Hashing in the Browser

The file hasher produces SHA-256 hash. It also uses the forge crypto library. It operates on 1MB chunks and can read files with arbitrary size using constant memory. The speed is around 6 times slower than the command line utility sha256sum on my MacBook Pro. But nevertheless it works great in the browser.

File Hasher on GitHub: https://stanimirivanovde.github.io/browser-power/hash-file.html

File Compression

I decided to use the pako compression library. It achieves good speed and uses the zlib compression algorithm. I tested compressing a 34GB file (VirtualBox vdi file). It took some time but finished successfully on my MacBook Pro with 16GB of RAM. The file format is not pure gzip which is unfortunate since other tools cannot be used to decompress the file.

File Compressor on GitHub: https://stanimirivanovde.github.io/browser-power/compress-file.html

File Decompressor on GitHub: https://stanimirivanovde.github.io/browser-power/decompress-file.html

What’s next

Why not compress and encrypt at the same time? Why not compress, encrypt and push to Dropbox using their API? This way I have my file ready to be shared with whoever I want. What other use cases can you think of?

 

Securing Sensitive Files

Sensitive files can be secured using different methods. It is important to understand the pros and cons of each in order to pick the best tool for your needs.

Encrypted Archives

Most archival software has the capability to add a pass phrase for archive protection. Different tools use different encryption algorithms. It is important to also look for authenticated encryption or AEAD. It provides extra integrity verification that ensures the archive hasn’t been tampered with. Some of the tools that support archival encryption are:

  • 7-zip
  • WinZip
  • WinRaR

Summary:

  • Easy to use
  • Widely available
  • Difficult to manage pass phrases for many different archives
  • Most archival software doesn’t support authenticated encryption
  • Can be slow to add new files to an existing large archive

Basic Encryption Tools

Basic encryption tools don’t provide archival capabilities. Their main purpose is to encrypt a file. Each file is encrypted with its own pass phrase or your public key. There is support for file compression. Some of them are cross-platform and run on most operating system.

Summary:

  • Easy to install and use
  • Difficult to manage different pass phrases for each file
  • PGP is complex and requires careful understanding of its configuration
  • Some of the tools in this category don’t support authenticated encryption

Application specific encryption

Some applications provide their own file protection as part of their interface. The protection mechanisms vary between different applications. In the past various applications were having issues protecting files. For example the encryption of Word documents before Office 2003 was insecure. Examples of application specific encryption:

  • Password protected Word, Excel, PowerPoint files
  • Password protected PDFs

Summary:

  • These applications already support encryption so it is convenient to use it out of the box
  • It is hard to manage passwords for different files
  • Some applications provide very weak security by using old and vulnerable algorithms
    • NOTE: The encryption of Word documents before Office 2003 is insecure.
  • There can be version mismatch where a file is encrypted with different version of the software and can’t be opened

Encrypted File Volumes (not optimized for cloud)

Encrypted volumes are much easier to work with. The volume is just a flat file on your disk so you can move it anywhere. When mounted the volume appears as a regular drive on your operating system. You can add/delete/edit files with ease. The user needs a single pass phrase to mount the volume and this applies to all added files. Volumes can be mounted and umounted at any time.

  • VeraCrypt
  • TrueCrypt (deprecated)

Summary:

  • Using a single password to open the volume can simplify working with many encrypted files
  • Easy to use
  • Fixed size of each volume that can’t grow dynamically can be frustrating
  • Not optimized for cloud storage – if a single file changes then the whole contents of the volume needs to be synced to the cloud

Full Drive Encryption (FDE)

Full Drive Encryption is great for preventing a stolen drive or laptop from being accessed without the passphrase. It depends what drive is encrypted. If it is the boot drive then as soon as the drive is booted into the operating system it is no longer protected as a logged-in user has complete access to all the files. The only way to protect your encrypted boot drive is to shutdown your computer. If a partition is encrypted then once it is “mounted” it appears as a drive on your OS. Most modern operating systems already have support for FDE and it is fairly simple to turn on. It does add a pace of mind that your data is protected if you lose your laptop. Some tools allow for hidden partitions that can add additional security to your files.

  • Bit Locker (Windows)
  • Veracrypt (Cross-Platform)
  • File Vault (Mac OS X)
  • dm-crypt (Linux)
  • PGP Full Disk Encryption

Summary:

  • Easy to use
  • Doesn’t protect files that are copied out of the encrypted disk
  • Doesn’t protect files on mounted volumes for the logged-in user
  • Not applicable to cloud storage as it only works on the physical disk or partition

Encrypted Mounted Volumes (optimized for cloud)

Encryption tools that are optimized for the cloud provide many additional benefits over the previously discussed tools. First, they are optimized for synchronization to cloud storage. Only the changed parts of the encrypted files are uploaded to the cloud. Second, they are using modern security algorithms such as authenticated encryption and public key cryptography. They allow managing and sharing encrypted files with ease. They work with different cloud storage providers so you’re not locked into one of them. They also provide local file protection.

  • BoxCryptor
  • Cryptomator
  • GoCryptFs
  • KeybaseFS

Summary:

  • State of the art encryption
  • Cloud integration
  • Efficient network synchronization
  • Easy to use
  • Can support large files
  • Allow easy password management and file sharing using public key encryption
  • Protect local and cloud files

Secure Cloud Providers

Secure Cloud Providers can offer various encryption mechanisms. The best ones use client-side encryption that protects your files before they are uploaded to the cloud. But the files are not encrypted on the client computer but rather only when uploaded to the cloud provider. Once the files are on the cloud server they stays encrypted at rest.

  • Sync.com
  • pCloud
  • Tresorit
  • ShareFile
  • NextCloud

Summary:

  • Provide backup capabilities as well as encryption
  • Can be used to share files securely
  • Can be used to synchronize files across multiple devices
  • Requires a separate account
  • Doesn’t work with existing cloud providers such as Dropbox or Google Drive
  • Force you to purchase secure file storage from them
  • Don’t encrypt the files on the client computer

Secure File Sharing

Secure File Sharing can take the form of a secure cloud storage provider or as a specialized tool aimed directly at file sharing. Different tools provide different capabilities.

  • Firefox Send (depricated)
  • Citrix ShareFile
  • Signal
  • Wire

Summary:

  • Can be used to easily and securely send files to other users
  • Some of them have size limitations
  • Additional complexity in managing users
  • Don’t provide encryption at rest

Secure e-mail

Securing email is hard. It is an old protocol that doesn’t natively support encryption. The best way to secure your emails is to use an extra mail plugin that runs in Outlook or Thunderbird or use a secure email provider. Nowadays secure email providers provide much better user experience with many options to secure your messages.

  • ProtonMail
  • PGP plugin for Outlook/Thunderbird
  • Hushmail
  • Mailfence
  • Tutanota
  • S/MIME

Summary:

  • Popular mean for sharing files
  • Can encrypt the body and attachments of emails
  • The password for decrypting the file has to be communicated using another method (out of band)
  • The user needs to have the same tools in order to decrypt the message