Security advisory for SJCL

[Mike Hamburg]

Hello all,

Versions of SJCL prior to today (February 27, 2012) had a security-critical bug in the JSON convenience module (convenience.js). These versions did not properly encode associated data before passing it to the encryption / decryption routines, and as a result the associated data encoded in JSON was not properly authenticated. That is, if an attacker were able to modify an SJCL-encrypted and -authenticated message, then she would be able to change the associated data ("adata" field) without being noticed.

Please update to the latest version of SJCL, with git commit number

c2ef62eb61164ddc62468142b269f818a89f8d89 (master)
517544d5215e0df25d0fef184c7cf0cb89a49c3c (ecc)
895169947da89336c025cf269a5f54d417539f93 (version-0.8)

or newer. Of course, once you do this, older messages with associated data will not decrypt anymore. However, older messages without adata should continue to decrypt. I considered adding some sort of backwards compatibility feature, but as the old adata-handling code is completely wrong and insecure, any such feature would harm security.

Sorry for the inconvenience!

-- Mike Hamburg