Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practical WebCrypto

23fc4556be14017796d38579dd4778ab?s=47 Mike MacCana
September 05, 2018

Practical WebCrypto

Using webcrypto in real world PKI scenarios.


Mike MacCana

September 05, 2018


  1. WebCrypto Mike MacCana / CertSimple

  2. WebCrypto is crypto made available to the browser W3C Spec

    as of Jan 2017 Symmetric and asymmetric algos, handling key material, hardware support, digests, signing, other crypto primitives.
  3. Works in all current browsers

  4. WebCrypto isn’t fake JavaScript crypto

  5. Secure messaging DRM PKI BitCoin mining ad malware

  6. WebCrypto for PKI ‘Mid technical’ users – know what a

    domain name is but don’t want to bother with crypto tools Technical users who want to save time openssl ecparam -genkey -name prime256v1 -out foo.com.key; openssl req -new -key foo.com.key -out foo.com.csr -subj '/C=IN/ST=Karnataka/L=Bangalore/O=Foo Limited/CN= foo.com';cat foo.com.csr Web based workflows that include crypto functions, eg keygen
  7. Keypair made on browser Private key never leaves local machine

  8. WebCrypto for PKI issues • WebCrypto is just crypto -

    it doesn't implement x509, ASN.1, etc. or the other accumulated layers of cruft. • PKIJS and ASN1 JS do this. • Non-evergreen browsers • Threat model changes - XSS
  9. PKIJS and ASN1JS • OSS projects funded by Peculiar Ventures

    (Ryan Hurst) • Developers do not have a JS background so have a somewhat esoteric style - examples but code doesn't look like JavaScript, and they often won't work (mainly due to poor documentation). • Developer works alone - doesn't accept contributions to clean things up. Will close GitHub issues without response.
  10. What CertSimple do on top of that Various monkey patches

    to get it to work High level PKCS10 CSR tools and tests Reusable components for key generation and rekeying • Create a download URL to a 'file' that exists on the local machine • Key gen and local ‘download’ in around 1 second • Instant rekeying – user just approves
  11. None
  12. None
  13. Customers that don’t want to use WebCrypto

  14. Threats and mitigations XSS Mitigation: Content Security Policy Client side

    JS library trust Mitigation: npm audits
  15. https://www.w3.org/TR/WebCryptoAPI https://pkijs.org/ https://asn1js.org/ https://certsimple.com

  16. Thanks.