RE: Unwrap Questions - How do I do this? from Jim Schaad on 2014-01-28 (public-webcrypto@w3.org from January 2014)

From: Jim Schaad <ietf@augustcellars.com>
Date: Tue, 28 Jan 2014 12:54:52 -0800
To: "'Ryan Sleevi'" <sleevi@google.com>
Cc: <public-webcrypto@w3.org>
Message-ID: <004601cf1c6b$31461a70$93d24f50$@augustcellars.com>
 

 

From: Ryan Sleevi [mailto:sleevi@google.com] 
Sent: Tuesday, January 28, 2014 12:13 PM
To: Jim Schaad
Cc: public-webcrypto@w3.org
Subject: Re: Unwrap Questions - How do I do this?

 

 

 

On Tue, Jan 28, 2014 at 11:58 AM, Jim Schaad <ietf@augustcellars.com> wrote:

I am having a problem with the current description of the unwrapKey method.  I am going to try and lay out my understanding in the hope the somebody will tell me what I got wrong.

 

Starting Point:

 

wrapKey is in the browser

                wrapKey.type = secret

                wrapKey.extractable = false

                wrapKey.algorithm = “AES-GCM”

                wrapKey.usages[] = [unwrapKey]

 

keyData = ENCRYPTED(

‘{“kty”:”oct”, “k”:”ABCDEFGHIJKLMNOP”,”alg”:”Magic”}’

)

 

 

First I am going to just use the normal call and attempt to unwrap the key

 

unwrapKey(“jwk”, keyData, wrapKey, {name:“AES-GCM”},  null, true, [encrypt, decrypt])

 

This will fail because the browser does not implement the algorithm Magic and through an error in step #12 of the unwrap algorithm (the import is going to fail because of “Magic”).

 

My code then says – that is fine – I have  a script version of Magic that I have downloaded as well so I can run the algorithm in script rather than in the browser.

 

Step #2 – Call my internal script unwrapKey function.

 

I can successfully complete steps #1-9 without any problems in the script.

 

I am now going to attempt to deal with step #10.  This says that I need to decrypt the bytes of keyData using the value of wrapKey.  In order to do this I could call the decrypt function, but that will fail because it does not have the decrypt key usage.  I could export and have AES-GCM in the script, but that fails because the key is not exportable.  I could call an undocumented function which does the decryption operation, but that is not documented.

 

I am not sure what my script code is supposed to be doing at this point.

 

Jim

  

 

 

Jim,

 

There is no undocumented function which does the decryption operation. Your polyfill (which is what it is) will not work in this case. It's as simple as that.

 

Supporting polyfill-extended algorithms (eg: where JS registers its own implementation of some algorithm) is not something this WG has done. So there's no hidden feature you're missing - it's not supported *at this time*.

 

We've discussed how it might be able to, and this was something the TAG suggested we consider for *future* work, but that's all it is, future work.

 

If you want to unwrap "magic" keys, your AES-GCM key must be available to your implementation as decrypt, and you can implement the security boundary within your application. Since you're polyfilling the "magic" algorithm, which by definition means the key bytes of the "magic" key are available to you, this is no change in security properties - you've already decided where your security boundary is.

 

Ryan,

 

Either I misunderstood your previous position or it has changed.  This does not match what I thought you were saying previously.  This would have been during the discussions of boundaries of import and export of keys in previous messages where I was trying to argue for tight boundaries and I thought that you were not.  (I.e. the Netflix case of doing a chain import of a key that was not visible in any way to the script).

 

Jim
Received on Tuesday, 28 January 2014 20:56:53 UTC