iislucas
commented
9 years ago Reviewed with security team and looks good.
Closed agallant closed 9 years ago
iislucas
commented
9 years ago Reviewed with security team and looks good.
agallant
commented
9 years ago Thanks!
As we approach actually using this module, it would be good to doublecheck that we're doing the crypto properly. Right now, the keypair is generated locally by e2e and the private key is never touched by our code, so I believe the main thing to validate that our crypto is sensible (besides trusting the e2e codebase, which is separately audited) is key generation parameters: https://github.com/freedomjs/freedom-pgp-e2e/blob/master/src/e2e.js#L114
This is calling this function: https://github.com/google/end-to-end/blob/09ad69d0f4365e83dc9b515c88ca960bb1583c30/src/javascript/crypto/e2e/openpgp/contextimpl.js#L236
So our parameters are:
These parameters are generally very similar to e.g. some used in the end-to-end tests (https://github.com/google/end-to-end/blob/09ad69d0f4365e83dc9b515c88ca960bb1583c30/src/javascript/crypto/e2e/extension/launcher_test.js#L118), and should be secure elliptic-curve choices. However it's worth creating this issue just to formally document it and get a few more eyes on it. Thanks for reading!