[CFRG] An update on Web Crypto, and adopting CFRG curves

Daniel Huigens <daniel.huigens@proton.ch> Wed, 10 August 2022 16:54 UTC

Return-Path: <daniel.huigens@proton.ch>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2BC1C14792A for <cfrg@ietfa.amsl.com>; Wed, 10 Aug 2022 09:54:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=proton.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wWtjPGjWOhcn for <cfrg@ietfa.amsl.com>; Wed, 10 Aug 2022 09:54:14 -0700 (PDT)
Received: from mail-4317.proton.ch (mail-4317.proton.ch [185.70.43.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3E7BC14CF1C for <cfrg@irtf.org>; Wed, 10 Aug 2022 09:54:13 -0700 (PDT)
Date: Wed, 10 Aug 2022 16:53:59 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.ch; s=bt526uofffgcjdnuj6b362w7vm.protonmail3; t=1660150452; x=1660409652; bh=5ar5BAAsbuvXo/98I4iYidqujCnoobBVOHhmYW9emyI=; h=Date:To:From:Reply-To:Subject:Message-ID:Feedback-ID:From:To:Cc: Date:Subject:Reply-To:Feedback-ID:Message-ID; b=n4+eyT0qXX+6o/dA0EI8yXp43WZGEfy3KobTcHJyniRh/Q6cZjvoGrgAreVzGECyM eCOy1nTiOMYiV9cPFgb1BhVKNnEqhE/FjKLvg/r+dXyTmqJZHV5GbmRuoF0jwFwe0H oaIe4Xc38CHNB5fuRfc0io07wjI734AzEj9n7A/od9+eoZz0JYTbkyG0ZIlSFpN1oI pOAUAVl/pYPmY00VT98GN7XjqNsId84E3rIgP3dwGq9UrsHnCw9SQZgtyUs1AjxfWg LHIgh8T3/+gnuFOp8lXDLASGT+BaftSbrivCekTwHr7ESF7MPJoWSX7Sd28uZk6xQA iSoLd0SWZ8Blw==
To: "cfrg@irtf.org" <cfrg@irtf.org>
From: Daniel Huigens <daniel.huigens@proton.ch>
Reply-To: Daniel Huigens <daniel.huigens@proton.ch>
Message-ID: <lOuLx02d-aJwfKgoM3e740D2ipOIu-8AL2TKk_CZ1EGzgw8Q22K6qNOtYmCh9nQ4mHLL5JM5mpwrgF3-2c97PscNJzriGHohgVkjLIT-8XI=@proton.ch>
Feedback-ID: 37000915:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/wbBD1e8e6hGCV_ZGFe9CpW3Cnic>
Subject: [CFRG] An update on Web Crypto, and adopting CFRG curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2022 16:54:18 -0000

Hi all,

At the IETF 114 session, there was a slide with expired documents which
listed draft-irtf-cfrg-webcrypto-algorithms-00, which prompted me to
think that you might appreciate an update regarding the state of the
Web Cryptography API specification.

For a long while, the Web Cryptography WG at W3C has been closed, and
there was no obvious path to include new (more modern) algorithms in
Web Crypto. That was until two months ago, when the Web Application
Security WG adopted a new charter which includes a provision to "adopt
well-supported proposals from incubation for maintenance of the Web
Cryptography API". I also volunteered as editor for the Web Crypto
specification, and so am now trying to modernize the cryptographic
algorithms available in the API.

To start, I wrote a draft spec proposing to add the CFRG curves to Web
Crypto [1]. There is an experimental implementation of that in Node.js,
but no browsers yet.

There was a request (from Mozilla) to tighten the checks beyond what is
required by RFC 7748 and RFC 8032, particularly to check for small-
order elements. There is an open PR with a proposal to do so at [2].
It would be great if you could comment on that either here or on the PR.
Note that the current text mandates the check for all-zero shared
secrets that is optional in RFC 7748, partially because I think it's
better to have consistent behavior among implementations, but I think
that checking for small-order elements on import would be even better
for that. However, let me know if you disagree, and also if you do
agree commenting on the PR would be helpful as well.

Then, there are some other algorithms that, in my mind, would make for
obvious additions, such as Argon2 (currently the only password hashing
function is PBKDF2), OCB (currently the only AEAD mode is GCM), SHA-3,
and eventually some post-quantum algorithms. However, that might take a
bit longer, and all of this obviously depends on the interest and
bandwidth of implementers. But, if you have other thoughts on what
should be included in a modern crypto API, that would be welcome too.

Finally, circling back to draft-irtf-cfrg-webcrypto-algorithms-00, for
now I think there's not much to do, but once the above has been added,
I think it might be worthwhile to have an updated document with
recommendations for which algorithms to use. Of course I don't know if
there's still interest in that here (after all, it's been a while :s),
but let me know what you think.

Thanks!

Best regards,
Daniel Huigens

[1]: https://wicg.github.io/webcrypto-secure-curves/
[2]: https://github.com/WICG/webcrypto-secure-curves/pull/13