search

WICG / proposals

A home for well-formed proposed incubations for the web platform. All proposals welcome.
https://wicg.io/
Other
231 stars 16 forks source link

Secure Curves in WebCrypto #46

Closed twiss closed 8 months ago

twiss commented 2 years ago

Introduction

The Web Cryptography API currently only specifies the NIST P-256, P-384, and P-521 curves, and does not specify any "safe curves". Among the safe curves, Curve25519 and Curve448 have gained the most traction, and have been specified for use in TLS 1.3, for example. They have also been recommended by the Crypto Forum Research Group (CFRG) of the Internet Research Task Force (IRTF), and are expected to be approved by NIST.

In addition, Node.js has implemented a nonstandard extension to Web Crypto, adding Curve25519 and Curve448 under a vendor-prefixed name. We would like to avoid other implementations doing the same, and encourage intercompatibility going forward by providing a standard specification.

Today, web developers are getting around the unavailability of Curve25519 and Curve448 in the browser either by using less secure curves, or by including an implementation of Curve25519 and/or Curve448 in JavaScript or WebAssembly. In addition to wasting bandwidth shipping algorithms that are already included in browsers that implement TLS 1.3, this practice also has security implications, e.g. side-channel attacks as studied by Daniel Genkin et al.

We propose solving the above problem by adding support for Curve25519 and Curve448 algorithms in the Web Cryptography API, namely the signature algorithms Ed25519 and Ed448, and the key agreement algorithms X25519 and X448.

Read the complete Explainer.

See the Draft Specification.

Feedback

I welcome feedback in this thread, but encourage you to file bugs against the Explainer.

tniessen commented 2 years ago

I can confirm implementer interest in Node.js and in Cloudflare Workers. (Context)

Further, I suggest to consider including the HashEdDSA variants (namely, Ed25519ph and Ed448ph) in addition to the PureEdDSA variants (namely, Ed25519 and Ed448), see https://github.com/twiss/webcrypto-secure-curves/issues/5.

panva commented 2 years ago

I likewise support adoption of this draft, I am in a position to enable its implementation in the Node.js runtime as well as a universal JOSE library for developers to be able to take advantage of EdDSA in JWS and ECDH-ES using X* functions in JWE.

lucacasonato commented 2 years ago

We're interested too (Deno), and will be implementing this if it lands.

yoavweiss commented 2 years ago

Seems like there's enough support for this to be incubated! \o/ Feel free to transfer the repo to me, and I can move it to the WICG org.

twiss commented 2 years ago

Great, thanks! Transfer requested :)

yoavweiss commented 2 years ago

Repo is now live at https://github.com/WICG/webcrypto-secure-curves Happy incubating!! :)

twiss commented 2 years ago

:tada: Thanks! Could you update the URL in the "About" section of the repo to https://wicg.github.io/webcrypto-secure-curves/, or give me access to do so, by any chance?

yoavweiss commented 2 years ago

You should have permissions now

twiss commented 2 years ago

:pray: Thanks!