Re: Encrypted Private Key from Charles Engelke on 2016-08-16 (public-webcrypto-comments@w3.org from August 2016)

From: Charles Engelke <w3c@engelke.com>
Date: Tue, 16 Aug 2016 14:00:13 -0400
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Charles Engelke <w3c@engelke.com>, Jason Proctor <jason@mono.hm>, "Peter Bielak, Executive Manager" <peter@safebash.com>, public-webcrypto-comments <public-webcrypto-comments@w3.org>
Message-ID: <CAFeVzdzvupA5eHJ3grjjCokgcCvoUrdhnDqziuptzgMG5VQ8mg@mail.gmail.com>
This solution does not allow the actual unencrypted key to ever leave the
end user's control unless the software cheats. And that's always a risk,
not only with WebCrypto. Only the user has the passphrase needed to access
the key.

Charlie

On Tue, Aug 16, 2016 at 1:56 PM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2016-08-16 19:23, Charles Engelke wrote:
>
>> We're doing the same thing. It's not a standard encrypted key format,
>>
> > but it is a standard encrypted data format and standard key derivation
> method.
>
> This obviously works but does it address the trust issue which I thought
> was the origin for Peter's question?
> IMO, it does not since a malicious provider can do whatever it wants
> including recording the decrypted private key.
>
> Anders
>
>
>
>> Charlie
>>
>> On Tue, Aug 16, 2016 at 12:54 PM, Jason Proctor <jason@mono.hm <mailto:
>> jason@mono.hm>> wrote:
>>
>>     hi Peter,
>>
>>     our product implements end to end encryption and protects its private
>> keys in a way which might work for you. i use a crypto concept called
>> "passphrase based encryption", which isn't implemented directly by
>> WebCrypto -- but this is forgiveable, IMHO, as there isn't really a proper
>> standard for its details. i couldn't get it to work interoperably, so i
>> rolled my own, and now i have 100% compatibility between WebCrypto, Bouncy
>> Castle, and OpenSSL.
>>
>>     essentially the private key is protected by a passphrase which is
>> only stored in the user's head. this passphrase is digested into a
>> symmetric key which is then used to encrypt the serialised form of the
>> private key. the encrypted form is then persisted with reasonable safety.
>> on the way back out, the user is asked for the passphrase, it's used to
>> decrypt the key back into its serialised form, which can then be imported
>> into WebCrypto or other crypto packages.
>>
>>     does this make sense? let me know if i can help any further.
>>
>>     regards
>>     Jason
>>
>>
>>
>>
>>
>>     On Tue, Aug 16, 2016 at 7:10 AM, Anders Rundgren <
>> anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>
>> wrote:
>>
>>         On 2016-08-16 14:09, Peter Bielak, Executive Manager wrote:
>>
>>             Anders thank you for help.
>>
>>             I need to generate private key on client side so that
>> provider cannot see this key.
>>
>>
>>         Hi Peter,
>>
>>         This is the core problem with this design: the code that
>> generates the key, decrypts the key etc. is supplied by the provider.
>>         IMHO, you either trust a service provider or you do not; this is
>> something in between.
>>
>>         This issue is probably also a reason to why WebCrypto maybe
>> haven't been the smash hit once anticipated.
>>
>>         If you still consider this solution, I would recommend taking a
>> peek in
>>         https://pkijs.org/
>>         and check if they haven't already implemented something along the
>> lines you request.
>>
>>         Anders
>>
>>
>>         > That is why I need WebCrypto, I know that I could generate keys
>> on server using OpenSSL etc. and the key needs to be stored in database so
>> the only thing user has to care about is his password, it also needs to be
>> in PKCS#8 PEM format so this key can be used for encryption in Swift on
>> iDevices and in browser.
>>
>>
>>             One person from StackOverflow figured it out, here's my
>> question: http://stackoverflow.com/questions/38413391/generate-rsa-
>> key-pair-using-webcrypto-api-and-protect-it-with-passphrase <
>> http://stackoverflow.com/questions/38413391/generate-rsa-
>> key-pair-using-webcrypto-api-and-protect-it-with-passphrase>
>>
>>             but when using forge JS library it somehow breaks the key and
>> it cannot be imported as CryptoKey - DOMException error - nothing more
>>             I did this:
>>             my other question: http://stackoverflow.com/quest
>> ions/38677742/cryptokey-arraybuffer-to-base64-and-back <
>> http://stackoverflow.com/questions/38677742/cryptokey-array
>> buffer-to-base64-and-back>
>>             CryptoKey to base64 and back works but when encrypted using
>> forge and imported back - DOMException
>>
>>             Thanks again
>>
>>
>>             ---- On Tue, 16 Aug 2016 13:45:32 +0200 *Anders Rundgren <
>> anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>*wrote
>> ----
>>
>>
>>                 On Aug 16, 2016 12:50, "Peter Bielak, Executive Manager" <
>> peter@safebash.com <mailto:peter@safebash.com> <mailto:peter@safebash.com
>> <mailto:peter@safebash.com>>> wrote:
>>                 >
>>                 > I think the question should have been:
>>                 > How do I generate passphrase protected encrypted
>> private key - pkcs#8 using WebCrypto API?
>>                 >
>>
>>
>>                 It is surely doable but since protected keys is already a
>> part of WebCrypto there is no direct support for your use-case.
>>
>>                 I have a feeling you are on the wrong track..
>>
>>                 anders
>>
>>
>>
>>
>>
>>
>>
>
Received on Tuesday, 16 August 2016 18:00:44 UTC