W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

RE: Request for feedback: DOMCrypt API proposal

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 3 Jun 2011 13:23:24 -0700
Message-ID: <BANLkTikjs+EWCaEVZQRtSSUSpXxe+Utg5g@mail.gmail.com>
To: public-web-security@w3.org
(*Test...this didn't seem to hit the full list.*)

You've included a SHA-256 hash function, but not an HMAC-SHA-256 function.

Having looked at many, many webapps as a pentester, I can assure that
99% of folks will do message authentication insecurely without better
API support than a raw hash function.

They will: (a) create insecure constructions using secret prefix or
secret suffix concatenations instead of implementing real HMAC, and
then (b) they will leak timing information during verification

I would propose the following APIs: (if you only support SHA256 and
have no plans to implement other algorithms)

hmac: {

createHMAC: function (plaintext, key, function callback(mac){ }) {  }
verifyHMAC: function(plaintext, key, receivedMac, function
callback(booleanVerified){ }){ }


Where verifyHMAC implements double-HMAC verification to prevent timing
leakage as described here:


Adding algorithm setters as is done for the symmetric functions would
allow agility to move to, e.g. SHA3 in the future when it is defined.

-Brad Hill
Received on Sunday, 5 June 2011 22:34:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:26 UTC