IETF Logo Mail Archive

Re: [Cfrg] Proposed Informational Note: Security Guidelines for Cryptographic Algorithms in the W3C Web Cryptography API

Watson Ladd <watsonbladd@gmail.com> Thu, 20 November 2014 16:00 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C0C1A1AC7 for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 08:00:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XAxbro7vzUe6 for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 08:00:19 -0800 (PST)
Received: from mail-yh0-x231.google.com (mail-yh0-x231.google.com [IPv6:2607:f8b0:4002:c01::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0385C1A0A6A for <cfrg@irtf.org>; Thu, 20 Nov 2014 08:00:19 -0800 (PST)
Received: by mail-yh0-f49.google.com with SMTP id f10so1460450yha.36 for <cfrg@irtf.org>; Thu, 20 Nov 2014 08:00:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rnvKUwpeiwgvUC5NNizMTst4gwa/oSIXp0+5D9gzvFE=; b=B/izbqgErgPvF/TUnqFl8Ja8PSnLCkKSUYLGtBWqdpKJS3tQkZNUBGY73Vii8W8/6A nC4t7DUPmJBhzcemCTOOEvs1FyeqGgIG9rwbzI3k344YICG6CQy6Tz9ddpE/EbKMaq2R 673yJDkx33GH57lTtALHQLda6KdfM/V4TLEUYxS8zE/KibNTantEljKPqQJcIMw4J4fF 3uoclunHqR8WioeSJsPMnqEuhG4HVfSX7pvB2/Lc+CLbUFKNUBV1IwDzMZ/wWgauAN0u tRlHCx4T39rfD/XZCFEZbcoQuijBLcJ4ORuOGh1RdiuZuG3lyKWjlk/6WCnpKML8bpNy 7byA==
MIME-Version: 1.0
X-Received: by 10.236.17.197 with SMTP id j45mr21565839yhj.49.1416499218080; Thu, 20 Nov 2014 08:00:18 -0800 (PST)
Received: by 10.170.195.21 with HTTP; Thu, 20 Nov 2014 08:00:18 -0800 (PST)
In-Reply-To: <546E0AE5.3040601@w3.org>
References: <546E0AE5.3040601@w3.org>
Date: Thu, 20 Nov 2014 08:00:18 -0800
Message-ID: <CACsn0cn+KX9J1NSUFhKV32iWL4KLHEPOKcXea3cD20QK2YeeaA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Harry Halpin <hhalpin@w3.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/VAhgDoDaci8iSn8h7wzCBLzcUNk
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Proposed Informational Note: Security Guidelines for Cryptographic Algorithms in the W3C Web Cryptography API
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 16:00:23 -0000

On Thu, Nov 20, 2014 at 7:38 AM, Harry Halpin <hhalpin@w3.org> wrote:
> Everyone,
>
> As the W3C Web Cryptography API gets ready to move to Candidate
> Recommendation, we wanted to address the concerns brought up by Rich
> Salz and others for better security guidelines for developers, given
> that the API exposes a variety of algorithms. I've taken Graham Steel's
> excellent write-up, which is in a large part based on Smart et al.'s
> magisterial ENISA report,  and have turned it into a draft CFRG note.
>
> We'd like to see the security guidelines below discussed here, and if
> there's no objections after discussion, move this onwards. W3C commits
> to maintaining this note as much as possible.
>
> Links to draft:
>
> TXT:
> http://www.w3.org/2012/webcrypto/draft-irtf-cfrg-webcrypto-algorithms-00.txt
> HTML:
> http://www.w3.org/2012/webcrypto/draft-irtf-cfrg-webcrypto-algorithms-00.html
>
> cheers,
>     harry
>

This says ECDSA is weak, and doesn't recommend future use Huh? MACs
are necessary for use with anything not AES-GCM, and this isn't
mentioned, nor is the correct way to compose described. The DH
description is just wrong: NFS has made a tremendous dent in the
security of genus 0 Diffie-Hellman. The security results for ECDH
cited aren't ones that actually matter.

There is no guidance on key size, which can make even the strongest scheme weak.

One might think HKDF2 is the right way to store a hashed password from
reading this. They would be wrong, as it's easy to search all
possibilities. PBKDF2 isn't much better, but you have a fighting
chance.

Other then that I didn't find any problems.

Sincerely,
Watson Ladd

v2.23.0 | Report a Bug | By Email