WICG / webcrypto-secure-curves

Proposal for the addition of Curve25519 and Curve448 to the Web Cryptography API
https://wicg.github.io/webcrypto-secure-curves/
Other
45 stars 4 forks source link

Support for seeding Ed25519 Private Keys #26

Open foxxtrot opened 8 months ago

foxxtrot commented 8 months ago

I have a use case where it would be useful to be able to seed the Ed25519 Private Key and having WebCrypto calculate the Public Key. The use case is a recovery code, where the user will have a means to provide a string that would be decoded into the 32-byte Ed25519 Private Key, which they would be able to sign a challenge proposed by our server with which could be verified by the associated Public Key which would be stored on our backend.

While RFC 8032 § 5.1.5 does state that the Private Key should be fully random, and this is definitely more secure for typical use cases, being able to use the WebCrypto API for Public Key derivation, instead of needing recreate the Public Key Derivation in JavaScript would be useful for cases such as this where the Private Key may need to be easily re-derived.

twiss commented 8 months ago

Hi :wave: I agree that being able to derive a public key from a private key could potentially be useful, however, this would require a new method in SubtleCrypto, and should probably be designed to work for all algorithms that support it, including the existing ones in Web Crypto. So, it might be better to discuss this in https://github.com/w3c/webcrypto/.

twiss commented 8 months ago

P.S. For your specific use case, though, there are other more appropriate ways to achieve it, e.g. either just hashing the password and sending that to the server, or alternatively a PAKE (such as OPAQUE or SRP) can be used to prove that the user knows the password without revealing it to the server (if that's important for your use case).

Frosne commented 4 months ago

Hi all, According to me, we already kinda have this functionality hidden. As when we generate a public/private key pair, I expect that we first generate a private key and then use a derive function to compute the public key. So, the question would be just whether it's complicated to expose this derivation function or not.

twiss commented 4 months ago

I think for Ed25519 you're right, but for the existing algorithms in Web Crypto it might be a bit more work, right? E.g. let's say that we define something like crypto.subtle.derivePublicKey(privateKey), and then you pass an RSA key object, it would be nice if it'd work as well. Of course it is also possible to implement that, but you might not have a function lying around for it, or do you?

In any case that is kind of why I think we should discuss it in https://github.com/w3c/webcrypto/, if we want to add a function for it :blush:

Frosne commented 4 months ago

I think it should be like this for all EC algorithms.

But I agree with you. And we indeed should discuss in w3c if/when we have a good reason why to add the derivation function.

P.s. I think MLS needs it, but I am not sure that they gonna use WebCrypto though