asanso
commented
6 years ago I dug a bit the archive and I found this old kind of related issue https://www.w3.org/2012/webcrypto/track/actions/86
Closed franziskuskiefer closed 3 years ago
asanso
commented
6 years ago I dug a bit the archive and I found this old kind of related issue https://www.w3.org/2012/webcrypto/track/actions/86
sleevi
commented
6 years ago There's two separate issues here: 1) Whether the API should expose the IV 1) Whether the API should document the risks of IV reuse
To the first point, it was intentional to expose the IV, for deterministic control over the encryption. This matches other APIs that expose GCM.
To the second point, documentation about cryptographic design and the security considerations of algorithms was intentionally decided as out of scope. There was an (abandoned) attempt at documenting some of these at https://www.w3.org/2012/webcrypto/draft-irtf-cfrg-webcrypto-algorithms-01.html , but it was by design that the API focus on the API, and cryptographic best practices, which constantly evolve, left separate.
sleevi
commented
6 years ago (Pretty sure this is a WontFix)
sideshowbarker
commented
3 years ago
This issue was originally reported by @asanso.
The AesGcmParams dictionary allows to set an IV. It's well known that IV re-use is bad in AES-GCM. For example, it allows to recover a key that is marked as unwrap only and not extractable. It's probably not a good idea to not allow setting IVs. But a note warning of these pitfalls would be good.