muety / anchr

⚓️ Anchr provides you with a toolbox for tiny tasks on the internet, especially bookmark collections
https://anchr.io
GNU General Public License v3.0
278 stars 27 forks source link

Switch from `crypto-js` to Web Crypto API #42

Closed muety closed 2 years ago

muety commented 3 years ago

Why?


muety commented 3 years ago

How / why it works at the moment

How to migrate

muety commented 2 years ago
muety commented 2 years ago

For encryption:

  1. Prompt the user to choose a password
  2. Use SubtleCrypto.importKey() (https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey) to derive key material from the password from (1)
  3. Use SubtleCrypto.deriveKey() (https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/deriveKey) on the output of (2) to derive an AES encryption key using PBKDF2
  4. Use SubtleCrypto.encrypt() (https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt) with the key from (3) to actually encrypt the message
  5. Send ciphertext to backend and save it in database

For decryption:

  1. Retrieve ciphertext from backend
  2. Prompt the user for password
  3. Use importKey() and deriveKey() again, to derive a new AES key from the password, again, using PBKDF2
  4. Use SubtleCrypto.decrypt() (https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/decrypt) to decrypt the message

It is safe to store IV and salt alongside the ciphertext: