Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use Web Cryptography API if available #141

Open
jelhan opened this issue Aug 31, 2017 · 2 comments
Open

Use Web Cryptography API if available #141

jelhan opened this issue Aug 31, 2017 · 2 comments
Labels

Comments

@jelhan
Copy link
Owner

jelhan commented Aug 31, 2017

Currently all encryption / decryption is done by Stanford JavaScript Crypto Library (sjcl). Since Web Cryptography API is now a recommendation and implemented by Firefox and Chrome we should investigate if we could use that one if it exists.

Using Web Cryptography API might be less performant than sjcl if these benchmarks are still valid.

@jelhan
Copy link
Owner Author

jelhan commented Nov 2, 2017

Investigated that one a little bit:

  • Web Cryptography API is supported by all browsers we are targeting expect IE 11: canisue.com
  • Current implementations of Web Cryptography API does not support AES-CCM, which is currently used. But SJCL could be configured to use AES-GCM, which is also supported via Web Cryptography API by all relevant browsers. Switching from CCM to GCM would also be an improvement.
  • Croodle currently uses PBKDF2 with HMAC-SHA-256 to retrieve the key from passphrase. PBKDF2 is supported by all major browsers but HMAC-SHA-256 hash function is not. Only plain SHA-256 is supported. On the other hand SJCL does not support plain SHA-256 as hash function for PBKDF2. Also migrating from HMAC-SHA-256 to SHA-256 would be a decline.

@rugk
Copy link
Contributor

rugk commented May 17, 2019

all major browsers but HMAC-SHA-256 hash function is not

You likely just did not find it, because it's used in the .sign API, not the hash one.

Actually, it looks supported: https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/sign#HMAC

(That MDN doc has been updated some time ago. Thanks to the fact that someone™ complained. 😉 And Mozilla fixed it, of course… 🤗)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants