RE: Request for feedback: DOMCrypt API proposal

(*Test...this didn't seem to hit the full list.*)

You've included a SHA-256 hash function, but not an HMAC-SHA-256 function.

Having looked at many, many webapps as a pentester, I can assure that
99% of folks will do message authentication insecurely without better
API support than a raw hash function.

They will: (a) create insecure constructions using secret prefix or
secret suffix concatenations instead of implementing real HMAC, and
then (b) they will leak timing information during verification

I would propose the following APIs: (if you only support SHA256 and
have no plans to implement other algorithms)

hmac: {

createHMAC: function (plaintext, key, function callback(mac){ }) {  }
verifyHMAC: function(plaintext, key, receivedMac, function
callback(booleanVerified){ }){ }


Where verifyHMAC implements double-HMAC verification to prevent timing
leakage as described here:

Adding algorithm setters as is done for the symmetric functions would
allow agility to move to, e.g. SHA3 in the future when it is defined.

-Brad Hill

Received on Sunday, 5 June 2011 22:34:09 UTC