====== crypto Plugin ======
---- plugin ----
description: A plugin to support symmetric cryptography using the blowfish algorithm
author : René Drießel
email : rene@driessel.de
type : syntax, action
lastupdate : 2010-05-04
compatible : 2010-11-07, 2011-05-25
depends :
conflicts :
similar : dokucrypt
tags : encryption, decryption
downloadurl: http://www.driessel.de/_media/wiki/plugins/crypto.tar.gz
----
The crypto plugin allows you to save encrypted Text in an wiki page. The encryption is done via AJAX on the server side using the blowfish algorithm already delivered with DokuWiki. Therefore you should use this plugin only with SSL enabled.
===== Download and Installation =====
Search and install the plugin using the [[plugin:extension|Extension Manager]]. Refer to [[:Plugins]] on how to install plugins manually.
===== Syntax and Usage =====
[[http://www.driessel.de/wiki/plugins/crypto|Details and Download]]
====== Comments ======
**Just to emphasize what Martin says below, I have recently upgrade my Ubuntu server running DokuWiki from 12.04 to 13.10 and I now cannot decrypt ANY of my encrypted data!!!** OMG! 8-O
We noted that the **Blowfish** implementation used by this Plugin is **__platform dependent__**((https://bugs.dokuwiki.org/index.php?do=details&task_id=2685)) and does not comply with the standard Blowfish algorithm. Transfer of the encrypted passwords may be impossible when moving a wiki
to some other machine.
Martin
Good work. But does, unfortunately, not work with Release 2013-05-10a "Weatherwax". Does anybody know how to fix this?
Martin
Nice done... but there is a security hole. You send a "secret" pass-phrase in clear text over network. It's very easy to sniff a password by capturing your POST request to a server. IMHO encryption/decryption process should be done only on the client side, otherwise "man in the middle" attack are guarantee.
AlexJ
----
I know this hole was a design decision. You should use this plugin only, with SSL enabled. If you need javascript encryption on the client side you should use the [[plugin:dokucrypt|Dokucrypt plugin]] at the moment. In the future I will perhaps add an option to use client side encryption.
René
----
Patch file below (unified diff) that fixes special character, such as '+' (amongst many others) that get lost in the encryption.
diff -ru crypto/action.php crypto-glo/action.php
--- crypto/action.php 2010-03-06 18:43:45.000000000 +0000
+++ crypto-glo/action.php 2010-11-01 15:43:21.000000000 +0000
@@ -86,7 +86,7 @@
set_error_handler("crypto_error_handler");
$result = "";
try {
- $data = $_POST['data'];
+ $data = urldecode($_POST['data']);
$secret = $_POST['secret'];
if (empty($secret)) {
print "";
@@ -97,7 +97,7 @@
$result = $e->getMessage();
}
- print $result;
+ print ''.$result.'';
restore_error_handler();
}
diff -ru crypto/js/encrypt-dialog.js crypto-glo/js/encrypt-dialog.js
--- crypto/js/encrypt-dialog.js 2010-04-30 20:35:54.000000000 +0100
+++ crypto-glo/js/encrypt-dialog.js 2010-11-01 15:48:39.000000000 +0000
@@ -95,7 +95,7 @@
if ($('encrypt_dialog_password1').value == $('encrypt_dialog_password2').value) {
dialog.sack.setVar("call", "crypto_encrypt");
dialog.sack.setVar("secret", escape($('encrypt_dialog_password1').value));
- dialog.sack.setVar("data", escape(selection.getText()));
+ dialog.sack.setVar("data", encodeURIComponent(selection.getText()));
dialog.sack.onCompletion = function() {
pasteText(selection, dialog.sack.response);
$('encrypt_dialog_close').onclick();
-- Karl
----
**Hint for best rendering**
File: lib/plugins/crypto/style.css
CSS modifications to hide encrypted text and to show decrypted text
div.dokuwiki span.encrypted {
width: 100%;
background-color: #F7F9FA;
display: none;
}
div.dokuwiki span.decrypted {
background-color: #F7F9FB;
display: block;
}
Emanuele