Re: I want to have unsafe key exchange. from David Dahl on 2012-06-14 (public-webcrypto@w3.org from June 2012)

From: David Dahl <ddahl@mozilla.com>
Date: Thu, 14 Jun 2012 11:10:29 -0700 (PDT)
To: Ryan Sleevi <sleevi@google.com>
Cc: Zooko Wilcox-OHearn <zooko@leastauthority.com>, public-webcrypto@w3.org
Message-ID: <1939086080.7273143.1339697429106.JavaMail.root@mozilla.com>

----- Original Message -----
> From: "Ryan Sleevi" <sleevi@google.com>
> To: "David Dahl" <ddahl@mozilla.com>
> Cc: "Zooko Wilcox-OHearn" <zooko@leastauthority.com>, public-webcrypto@w3.org
> Sent: Thursday, June 14, 2012 11:59:47 AM
> Subject: Re: I want to have unsafe key exchange.
> 

> > As far as symmetric keys are concerned, I have been thinking we
> > would spec
> > out a wrapped key object, with the unwrapping happening out of the
> > content
> > JS scope. With a compelling use-case I can see an API that allows
> > raw key
> > material to be generated that is perhaps not persisted and not
> > given any
> > kind of ID. Would that satisfy your usage?
> >
> 
> I think this is a MUST requirement. Otherwise, the use of a DHE
> exchange to
> negotiate some keying material seems... not at all useful.
> 

Isn't DH dependent on a public value that is used to generate a shared session key? Why can't this be done in an API like (please pretend it is event-driven):

// Alice
var rndm = crypto.dh.generatePublicRandomNumber();
sendPublicRandomToBob(rndm);

// Bob
var recRndm = pollServerForPublicValue();
var sessionKeyID = crypto.dh.generateSessionKey(recRndm);
var rndm = crypto.dh.generatePublicRandomNumber();
sendPublicRandomToAlice(rndm);

// Alice
var recRndm = pollServerForPublicValue();
var sessionKeyID = crypto.dh.generateSessionKey(recRndm);

var messageToBob = crypto.dh.encrypt(sessionKeyID, "53kr3t m355ag3");
sendMessageToBob(messageToBob);

Perhaps this is a completely naive view of this protocol? 

> Wrapped keys are only useful if you have a wrapping key. How do you
> import/export the wrapping key? For exchange between peers? Between
> browsers?
> 

You can exchange JWKs as strings, then:

arrBuffPubKey = JSON.parse(jwk);

// now you can encrypt a message:

var pkAPI = new crypto.pk();

pkAPI.onEncryptFinished = function(aCipherMessage) {
  // this returns ab arrayBuffer that has contents like:
  { wrappedKey: 71251421526, iv: 1762152, cipherData: 619873836477286376527, etc... }

  // We can push the array buffer via websockets to the server or call toJSON() to POST it, etc
};

pkAPI.encrypt(arrBuffPubKey, "s3cr3t m355ag3");

Again, perhaps this is a bit naive. My crypto work experience is short. Nothing I am saying precludes additional APIs that open the apps up to more dangerous raw-key collection and usage. We could provide flags that allow it. 

I personally want to use a higher-level API that is safer. Of course, box/unbox is at too high of a level for my needs.

Cheers,

David

Received on Thursday, 14 June 2012 18:10:58 UTC