Re: security of a client-side JS API?

Hi. Arthur

On Thu, Nov 1, 2012 at 5:05 PM, Arthur D. Edelstein <
arthuredelstein@gmail.com> wrote:

> Hi Mountie,
>
> > I think End-to-End encryption is easily implementable with current
> webcrypto
> > API spec.
>
> My feeling is that truly private, end-to-end encryption using the
> WebCrypto API (or indeed any JS crypto library) is only possible if
> implemented in an open-source browser extension, such as Cryptocat. As
> far as I can tell, it is not possible in a web app using the WebCrypto
> API.
>
>
I don't know how you define the E2E.
as my understanding of E2E, we don't need browser extension.
I have implemented by using jCryption of jQuery.

followings are draft procedure.
(1) make secure session between client and server via TLS
(2) server generate key pair that will be valid under same session and
store it to session storage.
(3) server return public key to client.
(4) client encrypt data with public key sent from server
(5) sending public-key encrypted data to server via secure session
(6) server decrypt data with private key.

session security is different issue and dependent on web application design
and implementation.

maybe the E2E model can be implemented in different way

that is the reason standardization of E2E is difficult.


> > standardization for E2E is diffucult issue.
>
> Probably, but some reasonably simple standards should be possible. For
> example, encrypting/decrypting text and encrypting/decrypting files
> look like two relatively simple and fairly general use cases.
>
> Best regards,
> Arthur
>



-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World