Switch from `crypto-js` to Web Crypto API

[muety]

Why?

• No extra dependency required anymore
• CryptoJS' used KDF is considered insecure (see comment below)

---

• https://github.com/diafygi/webcrypto-examples/#aes-gcm
• https://bradyjoslin.com/blog/encryption-webcrypto/
• https://github.com/AKASHAorg/easy-web-crypto

[muety]

How / why it works at the moment

• The result of this encrypting function call is a CipherParams object
• Its ciphertext and salt properties are serialized and deserialized (later, for decryption) using the OpenSSLFormatter
  • From this, both key and IV can be derived later on during the decryption (see below)
  • An alternative would be to use an entirely random IV and somehow pass it alongside the password, but that's not an option for us
  • Using constant IVs is unsafe
• Here is a good explanation of how key derivation, IV and salt play together

How to migrate

• When called with a password as key paramter, CryptoJS.AES.encrypt uses OpenSSL's EvpKDF as a key-derivation function to derive both an IV and a key from a random salt (explained here)
• WebCrypto does not implement EvpKDF, probably because it's considered unsafe nowadays
• Instead, PBKDF2 is recommended to be used, whereas it is safe to be used for deriving both key and IV from the password and some random salt
• For backwards compatibility, we would still have to implement EvpKDF for decryption, as shown in this great article

[muety]

• Key derivation example: https://github.com/mdn/dom-examples/blob/master/web-crypto/derive-key/pbkdf2.js

[muety]

For encryption:

1. Prompt the user to choose a password
2. Use SubtleCrypto.importKey() (https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey) to derive key material from the password from (1)
3. Use SubtleCrypto.deriveKey() (https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/deriveKey) on the output of (2) to derive an AES encryption key using PBKDF2
4. Use SubtleCrypto.encrypt() (https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt) with the key from (3) to actually encrypt the message
5. Send ciphertext to backend and save it in database

For decryption:

1. Retrieve ciphertext from backend
2. Prompt the user for password
3. Use importKey() and deriveKey() again, to derive a new AES key from the password, again, using PBKDF2
4. Use SubtleCrypto.decrypt() (https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/decrypt) to decrypt the message

---

It is safe to store IV and salt alongside the ciphertext:

• https://security.stackexchange.com/a/153129
• https://stackoverflow.com/a/3850335/3112139