Asymmetric encryption algorithm not supported in Blazor WebAssembly

[CuteLeon]

Description.

Hi, I am going to impove security issues of my Blazor WebAssembly application : Encrypting username and password via Asymmetric encryption algorithm RSA before send login request, but I got an exception when debug. Here is the exception message:

blazor.webassembly.js:1 crit: Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100]
      Unhandled exception rendering component: System.Security.Cryptography.Algorithms is not supported on this platform.
System.PlatformNotSupportedException: System.Security.Cryptography.Algorithms is not supported on this platform.
   at System.Security.Cryptography.RSA..ctor()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor()

Solution

Can .Net 5.0 support Asymmetric encryption algorithms in next version? Or is there any other supportted solution to protect communication security?
Greate thanks.

[blowdart]

This is a purposeful decision. Work is being done to examine supporting the browser crypto apis, but they're async and don't map naturally to .NET's APIS.

I'd ask why you want to encrypt the username and password yourself? If you're communicating over HTTPS it's already encrypted, you'd be doing it twice anyway, and what would you encrypt it against? The public key of the HTTPS certificate? Or something else on the server, at which point you're reinventing HTTPS anyway.

[CuteLeon]

Hi @blowdart : Thanks for reply. I don't have a Domain Name currently, so that HTTPs can not protect me, and I don't hope users to find out how application commiunicates with server, so I have to encrypt my request datas by a Public Key at Blazor WebAssembly Client side and decrypt it by a Private Key at ASP.NET Core WebAPI Server side. Publick Key and Private Key are genrated beforehand and offerred in AppSettings.json files. And these 2 commits are going to show you what I did:

Realize RSA Encrypt & Decrypt sevice and related Unit tests: https://github.com/CuteLeon/HackSystem/commit/0582dc290a94c91b80331d93a8ccdd3b51f5a540

Modify Client adn Server to encrypt and decrypt login request. https://github.com/CuteLeon/HackSystem/commit/c5130c682f46315b423f7ef144885cf7eb672b27

[blowdart]

There's work to figure it out for 6.0, but until then I'd look at the browser's webcrypto and see if you can do what you need manually. But I would plan for HTTPS, it does what you want, and you're going to have to have a DNS entry to host your app anyway. dotnet gives you tools to host on HTTPS for development purposes, giving you a certificate for localhost so you can test it all out.

[CuteLeon]

Sure, great thanks.

[blowdart]

https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-5.0&tabs=visual-studio should get you started. It'll work on the command line too if you're not using VS. If the docs are lacking and you can't get it going please let us know

[CuteLeon]

Great, HTTPS helps a lot, but on the other hand, an Asymmetric encryption algorithm is also neccessary for Blazor platform, hope to meet it in later version. Hah

[blowdart]

I'll be honest I have concerns about encouraging client side crypto, as it's hard to protect the keys well. This is why we stick to platform algorithms and don't write our own, so we'll be wrapping the browser apis, we just need to figure out how to map an async promise system to the ones you'd usually expect in .NET

[CuteLeon]

I understand your concerns and have had the same concerns with you, but I think Asymmetric encryption algorithm RSA can give up our concerns, because RSA have 2 keys, it's OK to publish the public key to anyone even the attacker, what we need to do it's just protect the Private Key at server side, Only private key can decrypt the request datas which were encrypted by public key, even the public key or private key cannot decrypt the data encrypted by the public key or private key itself. What else, would you please offer more details about "platform algorithms" which you just mentioned, what does it means?

[CuteLeon]

Although I have turn on HTTPS function, but users still can see plain password in Dev Tools> Network of browser.

And some web bugger (such as Telerik) can also do this, not only men in middle.

[blowdart]

https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API is the platform apis

Also, to be honest, using fiddler means nothing. Users know what their passwords are, you're not protecting against anything here. If an attacker is on the machine and can install a proxy, well, they can install a keylogger to get the password too. You'll find a lot of application threat models don't consider a compromised machine because OS security should be stopping that. In your scenario around API auth, OAUTH helps here, because JWTs don't contain passwords, just a signed token that represents the user and that they logged in successfully in another place.

Encryption above and beyond HTTPS doesn't add any real protections.

[CuteLeon]

Hah, you are right, I am using JWT token in my application, it's a lite ans state-less solution to auth users and their tokens.

[CuteLeon]

Hi @blowdart Sorry to bother again, I noticed that almost all bussiness web applications are encrypting username and password before send login request, as you mentioned: it's OS security's duty to protect the environmnt where users input their password. But we can never hope that users' OS must be safe, such as a cybercafe without management... And I have readed the Web_Crypto_API document you just attached in last comment, CryptoKeyPair and SubtleCrypto would be what I nned.

[blowdart]

I'm really going to disagree- if I look at office or outlook they do not. The login is over https and relies on https for its protection. That's simply a hat it's meant to do, and reinventing your own crypto tends to get very carefully examined at Microsoft, and usually get rejected.

[CuteLeon]

My friends reminded me that it's not allow to use HTTPS in some countries or regions.We need to fully deal with the scenarios of HTTPS failure.

[ghost]

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.