First Web Crypto implementations : expecting your imagination to play with !

Being chair of a W3C Working Group puts you in a nice situation that you are aware of any brand new implementations of the specifications your working group is supposed to design. In the case of the Web Crypto WG, I must confess I am quite lucky : the group has started one year ago, the first public working drafts were fired 10 months ago, last call is planned for October (planned, I said, no blood signed promise here) and there are already several implementations and prototypes disclosed :

Which specification are we talking about ?

The Web Cryptography API is an API, edited by Ryan from Google. Once implemented natively in browser, it will provide web apps with primitive for cryptographic operations. Generate strong random number, generate a key (or a key pair), manage data ciphering of data signature with it. This is a nice toy to design the security model of your web application. Identified use cases are data synchronization between client and server, signing legal documents, protecting banking transactions, … See the Web Cryptography Use Cases, edited by Arun from Mozilla, for more information. The Working Group is also working on an API to discover keys available in the key store of the browser, but this API, edited by Mark from Netflix, named Web Cryptography Key Discovery does not have yet any implementation available.

What are the available implementations ?

As several companies have interest in that security feature, several implementations or experiments are made available to web developers.

A polyfill designed by BBN. BBN is a research laboratory sponsored by US government. It has issued a polyfill, a pure javascript implementation of the Web Crypto API (based on the version from December 2012). It is compatible with a large number of browsers, including Chrome, Firefox, Safari, Internet Explorer 10, Opera, iCab. You can grab more by visiting the Polycrypt project : http://polycrypt.net/ and the related github : https://github.com/polycrypt/polycrypt .

A plugin by Netflix for Chrome. Netflix is working hard those day on delivering a complete solution to protect its streamed content over the combination of the Encrypted Media Extension and Web Crypto API (based on the version from April 2013). The current native plug-in has been designed and successfully tested in Chrome on Linux amd64 – but do not dream, it will not allow you to watch Netflix catalog for free ! All material and explanations are available under Netflix github.

A Microsoft IE 11 Preview feature. Microsoft has included the Web Crypto API in Internet Explorer 11 Preview (build date: 6/14/2013). This pre-release version is available to web developers.

A Chromium announced feature. Google has announced that the Web Crypto API would be available in Chromium. If you want to witness the on-going work, you can have a look at the chromium issue tracker.

A Firefox open feature**. Mozilla is working since this spring on the implementation of the Web Crypto API and progresses can be monitored under Bugzilla @ Mozilla tracker.

A teasing implementation from Inventive Designers.

One in another what can you do, now. And what are the limits ?

You can play with those prototypes, which are here to fill the gap, while browser makers embed the final feature in their final products. Note that none of the available plug-in, polyfill, pre-release do rely on Promises, which is the new taste of DOM, while the final version as lots of chance to  : the most recent draft already embeds it, and it is expecting review of the javascript and W3C Technical Architecture Group community. In addition the referenced plug-in, polyfill, pre-release features are relying on old version of the specification which is submitted to changes, as the Working Group is still managing some open issues. Nevertheless by having some tools today, it gives you a chance to play with crypto primitives on different platforms.

Which one to choose ? If your project is just about creating a key and using it for the basic operations such as generate key, sign, encrypt and corresponding operations, then the BBN polyfill will perfectly match. If you want to experience more with key wrapping (in order to protect your keys when being stored in your client), then, the Netflix and Microsoft tools will make the job.

Each of the implementations made some choices in algorithms supported, but in most of the cases, if your project does not require exotic algorithm, you will find what you need inside.

If you are having fun with it, who should you report it to ?

As you may imagine all W3C crypto community and implementers are expecting your report on your experiment. Feel free to tell us more on public-webcrypto-comments@w3.org or by reporting directly to the implementation providers…

You can also read a more recent post related to Web Crypto API development here : https://poulpita.com/2014/08/28/w3c-web-crypto-whats-next/

** Thanks @clochix for the info.

6 comments

  1. I work for one an company who need do the certificate stored on user’s smart card. So Web Crypto Discovery is a key feature to stop using the old java applets to access the private/public key on my user smartcard hardware.

  2. I did not want to be trollish, but I guess I was… simply could not resist, sorry.
    However, I should have contributed to the main topic, and yes, you are absolutely right, crypto API for ‘web platform’ would of course be nice to have as there are probably not much less use cases than for native applications.
    Thanks a lot for the great summary on the current state of web crypto!

  3. Hi ROFL, I understand your comment and reasons for looking at this with reluctance . I still believe there might have a value to have native crypto functions in browsers, it could be a start of something…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s