Practical WebCrypto

23fc4556be14017796d38579dd4778ab?s=47 Mike MacCana
September 05, 2018

Practical WebCrypto

Using webcrypto in real world PKI scenarios.

23fc4556be14017796d38579dd4778ab?s=128

Mike MacCana

September 05, 2018
Tweet

Transcript

  1. 2.

    WebCrypto is crypto made available to the browser W3C Spec

    as of Jan 2017 Symmetric and asymmetric algos, handling key material, hardware support, digests, signing, other crypto primitives.
  2. 6.

    WebCrypto for PKI ‘Mid technical’ users – know what a

    domain name is but don’t want to bother with crypto tools Technical users who want to save time openssl ecparam -genkey -name prime256v1 -out foo.com.key; openssl req -new -key foo.com.key -out foo.com.csr -subj '/C=IN/ST=Karnataka/L=Bangalore/O=Foo Limited/CN= foo.com';cat foo.com.csr Web based workflows that include crypto functions, eg keygen
  3. 8.

    WebCrypto for PKI issues • WebCrypto is just crypto -

    it doesn't implement x509, ASN.1, etc. or the other accumulated layers of cruft. • PKIJS and ASN1 JS do this. • Non-evergreen browsers • Threat model changes - XSS
  4. 9.

    PKIJS and ASN1JS • OSS projects funded by Peculiar Ventures

    (Ryan Hurst) • Developers do not have a JS background so have a somewhat esoteric style - examples but code doesn't look like JavaScript, and they often won't work (mainly due to poor documentation). • Developer works alone - doesn't accept contributions to clean things up. Will close GitHub issues without response.
  5. 10.

    What CertSimple do on top of that Various monkey patches

    to get it to work High level PKCS10 CSR tools and tests Reusable components for key generation and rekeying • Create a download URL to a 'file' that exists on the local machine • Key gen and local ‘download’ in around 1 second • Instant rekeying – user just approves
  6. 11.
  7. 12.
  8. 16.