ProtonMail, the secure email provider, has just had its credentials re-affirmed after its encryption library, OpenPGPjs, passed an independent security audit. The audit was carried out by the respected security firm, Cure53, after the developer community commissioned a review following the release of OpenPGPjs 3.0 back in March.
In its audit, Cure53 focused on the following areas:
- AEAD encrypted packets
- EAX, GCM, OCB
- CMAC
- All cryptographic primitive implementations: AES, AES-EAX, AES-GCM, AES-CBC, ED25519, C25519, ECDSA, HMAC, P256, P384, P521, SECP256K1
- Prime number handling
- Date support in signatures
- Cryptographic API exposure via different providers
Cure53 gave the library a highly positive result stating that no major issues were discovered. In a statement the security firm said:
“Tested cryptographic implementations were top notch and excellent quality given the platform. The only limitations come from the platform itself (JavaScript/web), which do not allow for side channel resistance or reliable constant time operations. Overall however this is an exceptional library for JavaScript cryptography.”
According to ProtonMail, OpenPGPjs forms the foundation of the encryption that takes place on the ProtonMail platform. In the latest version it gained several new features and improvements including support for elliptic curve cryptography (ECC).
Image via ProtonMail