- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Thu, 24 Aug 2023 14:31:29 +0000
- To: public-webauthn@w3.org
I've opened PRs #1945 and #1946 with two possible designs for this. I have some unfortunate news, though: as I was sketching out some ways one might to use this, I concluded that there still seems to be no way to turn an unextractable PRF output into a never-extractable asymmetric private key. The PRF output is always 32 random bytes, so the only key types it can be directly imported as is AES and HMAC/HKDF keys. HKDF can of course be used to derive new keys, and that's great, but in WebCrypto it is currently not possible to use HKDF to derive asymmetric key pairs. What you can do instead is to generate an unrelated keypair and wrap its private key with a key derived via HKDF - but `wrapKey()` requires the private key to be created with `exportable: true`, so there will still be some nonzero duration where the private key is vulnerable. Once you have the wrapped private key you can unwrap it with `exportable: false`, so that's good, but there's still that critical moment between key generation and the first `wrapKey` where the private key could be intercepted. I also found that it's probably not even difficult for a malicious script to intercept the private key - you can just re-assign `window.crypto.subtle.generateKey` with a function that exfiltrates the private key result before passing it through. All in all, this still makes it challenging to implement multi-recipient encryption with PRF-derived keys. It's fine as long as you have only one PRF credential, but if you want encrypted data to be decryptable by more than one PRF credential for redundancy, you have to either - use symmetric-only encryption, which requires presentation of every PRF credential whenever something is to be encrypted, or - accept that each credential's corresponding ECDH (or equivalent) private key is briefly exposed as an exportable key. It would be nice if WebCrypto could be extended with the ability to use HKDF to derive EC and RSA private keys, that would neatly solve all of these problems. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1895#issuecomment-1691798283 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 24 August 2023 14:31:32 UTC