SlideShare a Scribd company logo

The History and Status of Web Crypto API (2012)

Channy Yun
Channy Yun

The document discusses the history and status of the Web Cryptography API. It outlines the legacy approaches to cryptography in web browsers like crypto.signText and CAPICOM. It then summarizes the development of the Web Cryptography API, from early proposals in the HTML5 working group to the current W3C Web Cryptography working group developing the standard. The API aims to provide common cryptographic functions like encryption and signatures to web applications through a standardized JavaScript API.

TechnologyEducation
1 of 24
Downloaded 49 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
The History and Status of Web Cryptography API Channy Yun Mozilla Korean Community http://www.mozilla.or.kr
About me • Before Daum – 1997~2004 E-Commerce • Reference: SK MusicOK, iMusicLand and YBM Tutti etc. – 1999~2004 Payment Gateway • Mypay.net, an integrated payment for SOHO business – 2001~2004 Certificate Business • Thawte.co.kr, an authorized Reseller of Thawte and Verisign Japan • In Daum – 2004~ Web Standards Evangelist • Mozilla Korean Community, Leader (2002-) • W3C HTML W/G, Invited Expert(2007-) • W3C Web Crypto API Community Group, Chair (2011-) • W3C WebCryptography W/G, Invited Expert (2012-)
Agenda • History – Legacy: crypto.signText and CAPICOM – History: XML Signature • HTML5: from document to application – Crypto in HTML W/G – Draft: Web Crypto API • Raising Web Identity – Web Identity and BrowserID • Web Cryptography API – Public key encryption, signing message and decryption. – Use cases and key isolations • Future plan
Legacy: crypto.signText and CAPICOM
History: XML Signature • W3C XML Signature Syntax and Processing • http://www.w3.org/TR/xmldsig-core • From 2000, based on web services bubble • Issues on XML Canonicalization and performance in SOA applications, lacks of web based use cases • Web Activated Signature Protocol • http://webpki.org • From 2006, Based on XML signature proposed by Anders Rundgren • Issues on deprecated XML signature and lacks of primitive functions such as Javascript APIs
From Document to Application 1995 2000 2005 2010 Web Hypertext Application Technology Working Group
Return to W3C - HTML5 Era
Range of HTML5 HTML5 Buzz Word CSS3 Geolocation Canvas HTML5 Offline WebRTC Web Workers Device API Web Form Markup File API Video&Audio Web Sockets WebGL Server-Sent Indexed XMLHttpRequest DOM Storage Events Database API
Crypto in W3C HTML W/G • Simple Keygen • http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009- April/019206.html • http://www.w3.org/TR/html-markup/keygen.html • Integrates tightly with the form submission model • Issues on Microsoft has no intention of ever implementing the <keygen> element. (Crypto part was changed “optional”) • Simple form signing • http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006- October/007571.html • Strict form submission for crypto.signText <form action="sendMoney" stricted> <input type="text" name="dollars" value="3.00" signed="signed"> <input type="text" name="account" values="1234567890"> <input type="submit" value="Sending Money!"> </form>
Draft: Web Crypto API • http://html5.creation.net/webcrypto-api/ • Focused on certificate services, but issues on identity
Raising Web Identity • Identity Crisis • Dead of OpenID and widely usages of OAuth • Lock-in social web giants (Facebook, Twitter) • Needs of self-managed distributed Identity system • BrowserID and DOM Crypt (2011.5) • Mozilla’s new identity policy • http://identity.mozilla.com/post/7616727542/introducing- browserid-a-better-way-to-sign-in • http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011- May/031741.html
c.f. Comparison of Identity
Proposal of Web Identity W/G • http://www.w3.org/2011/08/webidentity-charter.html – Cryptography API • Commonly-used cryptographic primitives should be made available to web application developers via a standardized API to facilitate common operations such as asymmetric encryption key pair generation, encryption, and generation, as well as symmetric encryption, hashing, and signature verification. This work can be based upon DOMCrypt, which has already been discussed in the W3C WebApps WG, HTML WG, and IETF Web Security WG. – Web Identity Sync • This specification should specify how web application developers can synchronize of identity information across multiple devices like browsers. Synchronization should also work in the "Cloud" to support legacy browsers. Anonymous identities (i.e. an "empty" identity) and multiple identities should be supported. When possible, commonly used data- formats should be re-used and the design should take advantage of existing work such as Mozilla Sync. – Identity API • This specification should specify how web application developers access session-state information and authentication credentials to enable functionality such as easier sign-on to services. This API will build upon existing work such as the Verified Email and Session Description Protocols (BrowserID), BrowserAuth, and may optionally propose possible changes to HTML to the HTML WG as well as specify transfer of identity-related data. • WebCrypto API Community Group • http://www.w3.org/community/webcryptoapi • http://www.w3.org/community/webcryptoapi/2011/09/15/why-web-crypto-api/ • Helping W3C Standards for cryptography and certificate services.
Web Cryptography W/G • http://www.w3.org/2011/11/webcryptography-charter.html • Primary API Features in scope are: – key generation, encryption, decryption, deletion, digital signature generation and verification, hash/message authentication codes, key transport/agreement, strong random number generation, key derivation functions, and key storage and control beyond the lifetime of a single session. In addition, the API should be asynchronous and must prevent or control access to secret key material and other sensitive cryptographic values and settings. Encryption and decryption include both symmetric and asymmetric cryptography. • Secondary API Features that may be in scope are: – control of TLS session login/logout, derivation of keys from TLS sessions, a simplified data protection function, multiple key containers, key import/export, a common method for accessing and defining properties of keys, and the lifecycle control of credentials such enrollment, selection, and revocation of credentials with a focus enabling the selection of certificates for signing and encryption. • Out of scope: – features including special handling directly for non-opaque key identification schemes, access-control mechanisms beyond the enforcement of the same-origin policy, and functions in the API that require smartcard or other device-specific behavior.
Web Cryptography API http://www.w3.org/2012/webcrypto/WebCryptoAPI/
• Basic – Hash – Mac – Random Number • window.crypto.getRandomValues • https://dvcs.w3.org/hg/domcrypt/raw-file/tip/Overview.html
• Public Key Encryption • Encrypt and sign message
• Decrypt a received blob • Sign and verify
• Major Functions – Signature, MAC, Public Key Encryption, Symmetric Encryption and Hash • Requirements – a standard, cross-browser API – the speed of native crypto implementation – the security of isolating the keys from JavaScript code – persistent key storage and access to system cert/key • Use Cases – http://www.w3.org/wiki/NetflixWebCryptoUseCase – http://www.w3.org/wiki/KoreaWebCryptoUseCase
Collecting use cases • Primary features • Secure messaging • Encrypted web applications • Storing local storage • Encrypted bill • Client authentications • Secondary features • Financial Transaction: Online bank • Credit card process • SSL VPN • Handling S/MIME mail • Handling XML Encryption • http://www.w3.org/community/webcryptoapi/wiki/Use_Cases
Key isolations proposed by Ryan Sleevi • Origin-bound: – generated via .generateKey() bound to a single origin with short-lived (session cookie style?) • Use case: DHE/ECDHE/PAKE key agreement for opportunistic encryption of chat over Websockets, where the intermediary is not trusted. • Use case: Perhaps some binding of a user login/cookie data to some encrypted context. The key is only as useful as long as the cookie lives, and vice-versa. • Persistent: – effectively super-cookie that might apply to cookies/cache/other data. • Use case: "identity key" with a service might be used for mail signing, HTML5 file storage, online chat, etc. single origin or shared with multiple origins – Keys may be stored in software (managed by the UA), in the OS or some global key store (making them available to other applications beyond the UA), in "the cloud" as part of some sync service, or even stored on another device such as TPM or smart card. • Use Case: For embedders (such as Netflix), for purchase USB TPMs • High Value: – a strong correlation to certain high value transactions - particularly where force of law is involved. Unlike the above 'persistent' keys, HVKs are strongly correlated to identity, and may reflect government or financial services issuance. • Use Case: Signing a legal document - tax forms, contract, performing 'sensitive' transactions (bank transaction confirmation, etc)
Future Plan • Secondary API spec – aka. Web Certificate Service API – TLS login/out, key management including import/export and signing/verification – Discussions for smartcard and USB token • Get started – Join W3C WebCryptography W/G • http://lists.w3.org/Archives/Public/public-webcrypto/ – Join W3C WebCrypto API Community Group • http://www.w3.org/community/webcryptoapi/
References in Korean 1. 액티브X 없이 공인인증서 쓴다 http://www.zdnet.co.kr/news/news_view.asp?artice_id=2 0120323121226 2. 공인인증서 액티브X와 결별하려면 http://www.zdnet.co.kr/news/news_view.asp?artice_id=2 0120329124248 3. 전자서명 웹 표준화 안되나? http://channy.creation.net/blog/884 4. ActiveX 걷어낼 웹표준 만든다 http://blog.creation.net/519 5. WebCrypto API의 현재와 미래 http://channy.creation.net/blog/884
Thanks for listening: Q&A Channy Yun Twitter: @channyun E-mail: channy@mozilla.or.kr Blog: http://channy.creation.net

More Related Content

What's hot (7)

DOCX
Summary of-phenomenology-of-love
paijenalas
 
PPTX
Why You Need an Integrated Digital Marketing Strategy
Kevin Gibbons
 
PPTX
Storyselling
Diane Windingland
 
DOCX
BIOLOGY SBA (LAB)
Cxc Sba
 
PPS
How To Motivate Yourseft
Nghi Huynh
 
PDF
Developing the Growth Mindset
Jacob Onwukwe, B.Eng., PHRi, MBA
 
PPT
Overcoming Perfectionism
Mike Litman
 
Summary of-phenomenology-of-love
paijenalas
 
Why You Need an Integrated Digital Marketing Strategy
Kevin Gibbons
 
Storyselling
Diane Windingland
 
BIOLOGY SBA (LAB)
Cxc Sba
 
How To Motivate Yourseft
Nghi Huynh
 
Developing the Growth Mindset
Jacob Onwukwe, B.Eng., PHRi, MBA
 
Overcoming Perfectionism
Mike Litman
 

Viewers also liked (6)

PPT
The Status Of Web Interoperability And Activities In China, Japan And Korea
Channy Yun
 
PDF
웹 애플리케이션 기술 소개 - NGWeb (2006)
Channy Yun
 
PDF
리눅스와 웹표준(2004)
Channy Yun
 
PPTX
6 types of web application development
Clustox
 
PDF
웹표준을 기반한 크로스 브라우징 표준화 (2005)
Channy Yun
 
PPTX
KAIST 웹 공학 연구실 소개(Web Engineering Lab.)
webeng_kaist
 
The Status Of Web Interoperability And Activities In China, Japan And Korea
Channy Yun
 
웹 애플리케이션 기술 소개 - NGWeb (2006)
Channy Yun
 
리눅스와 웹표준(2004)
Channy Yun
 
6 types of web application development
Clustox
 
웹표준을 기반한 크로스 브라우징 표준화 (2005)
Channy Yun
 
KAIST 웹 공학 연구실 소개(Web Engineering Lab.)
webeng_kaist
 
Ad

Similar to The History and Status of Web Crypto API (2012) (20)

PPTX
Securing online services by combining smart cards and web-based applications
Olivier Potonniée
 
PDF
New Trends in Web Security
Oliver Pfaff
 
PDF
Html5 Application Security
chuckbt
 
PDF
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson
 
PDF
End to-end W3C - JS.everywhere(2012) Europe
Alexandre Morgaut
 
PDF
Protecting Your APIs Against Attack & Hijack
CA API Management
 
PDF
WebAuthn & FIDO2
Leonard Moustacchis
 
PPTX
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
 
PPTX
HTML5 Programming
hotrannam
 
PDF
End-to-end W3C APIs
Alexandre Morgaut
 
PPTX
Basics of the Web Platform
Sanjeev Verma, PhD
 
PDF
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
PDF
Securing Your API
Jason Austin
 
PDF
Java script and web cryptography (cf.objective)
ColdFusionConference
 
PDF
WEBBOX
SOCIAM Project
 
PPT
Web authentication
Pradeep J V
 
PDF
End-to-end W3C APIs - tpac 2012
Alexandre Morgaut
 
PDF
Rest ful security
Truong Truong
 
KEY
RESTful Security
Jim Siegienski
 
PDF
API Design and WebSocket
Frank Greco
 
Securing online services by combining smart cards and web-based applications
Olivier Potonniée
 
New Trends in Web Security
Oliver Pfaff
 
Html5 Application Security
chuckbt
 
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson
 
End to-end W3C - JS.everywhere(2012) Europe
Alexandre Morgaut
 
Protecting Your APIs Against Attack & Hijack
CA API Management
 
WebAuthn & FIDO2
Leonard Moustacchis
 
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
 
HTML5 Programming
hotrannam
 
End-to-end W3C APIs
Alexandre Morgaut
 
Basics of the Web Platform
Sanjeev Verma, PhD
 
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
Securing Your API
Jason Austin
 
Java script and web cryptography (cf.objective)
ColdFusionConference
 
WEBBOX
SOCIAM Project
 
Web authentication
Pradeep J V
 
End-to-end W3C APIs - tpac 2012
Alexandre Morgaut
 
Rest ful security
Truong Truong
 
RESTful Security
Jim Siegienski
 
API Design and WebSocket
Frank Greco
 
Ad

More from Channy Yun (20)

PDF
Chaos Engineering을 위한 최신 도구 업데이트 - 윤석찬 (AWS 테크에반젤리스트)
Channy Yun
 
PDF
Chaos Engineering on Microservices - 윤석찬, AWS 테크에반젤리스트
Channy Yun
 
PDF
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Channy Yun
 
PDF
ICGIS 2018 - Cloud-powered Machine Learnings on Geospactial Services (Channy ...
Channy Yun
 
PDF
How to Measure DevRel's Perfomances: From Community to Business - Channy Yun ...
Channy Yun
 
PDF
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
Channy Yun
 
PDF
Game Day in Action for Chaos Engineering - 윤석찬 (AWS 테크에반젤리스트) :: 한국 카오스엔지니어링 밋업
Channy Yun
 
PDF
Chaos Engineering 시작하기 - 윤석찬 (AWS 테크에반젤리스트) :: 한국 카오스엔지니어링 밋업
Channy Yun
 
PDF
[다운로드] 한국 웹20주년 기념 소책자
Channy Yun
 
PDF
차니의 IT 이야기 #2- 개발자 경력 관리 조언 (윤석찬)
Channy Yun
 
PDF
클라우드 컴퓨팅과 Daum의 사례- 윤석찬 (KREN 연구 협력 포럼, 2013)
Channy Yun
 
PDF
차니의 IT 이야기 #1- 좌충우돌 스타트업 경험기 (윤석찬)
Channy Yun
 
PDF
Microservices architecture examples
Channy Yun
 
PDF
글로벌 지도 API 서비스 현황과 미래 - 한국지리정보학회 (2014)
Channy Yun
 
PDF
빅데이터 기술 현황과 시장 전망(2014)
Channy Yun
 
PDF
공공 데이터 활용 방법론 - 오픈 API 기술 및 동향 (KRNET 2014)
Channy Yun
 
PDF
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
Channy Yun
 
PDF
Webware - 문서에서 운영 체제 까지 - 윤석찬 (2014)
Channy Yun
 
PDF
오픈 API 서비스 A to Z: Daum API를 중심으로 (윤석찬, Daum) :: API Meetup 2014
Channy Yun
 
PDF
제주 다음 스페이스.1 셀프 투어 가이드
Channy Yun
 
Chaos Engineering을 위한 최신 도구 업데이트 - 윤석찬 (AWS 테크에반젤리스트)
Channy Yun
 
Chaos Engineering on Microservices - 윤석찬, AWS 테크에반젤리스트
Channy Yun
 
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Channy Yun
 
ICGIS 2018 - Cloud-powered Machine Learnings on Geospactial Services (Channy ...
Channy Yun
 
How to Measure DevRel's Perfomances: From Community to Business - Channy Yun ...
Channy Yun
 
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
Channy Yun
 
Game Day in Action for Chaos Engineering - 윤석찬 (AWS 테크에반젤리스트) :: 한국 카오스엔지니어링 밋업
Channy Yun
 
Chaos Engineering 시작하기 - 윤석찬 (AWS 테크에반젤리스트) :: 한국 카오스엔지니어링 밋업
Channy Yun
 
[다운로드] 한국 웹20주년 기념 소책자
Channy Yun
 
차니의 IT 이야기 #2- 개발자 경력 관리 조언 (윤석찬)
Channy Yun
 
클라우드 컴퓨팅과 Daum의 사례- 윤석찬 (KREN 연구 협력 포럼, 2013)
Channy Yun
 
차니의 IT 이야기 #1- 좌충우돌 스타트업 경험기 (윤석찬)
Channy Yun
 
Microservices architecture examples
Channy Yun
 
글로벌 지도 API 서비스 현황과 미래 - 한국지리정보학회 (2014)
Channy Yun
 
빅데이터 기술 현황과 시장 전망(2014)
Channy Yun
 
공공 데이터 활용 방법론 - 오픈 API 기술 및 동향 (KRNET 2014)
Channy Yun
 
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
Channy Yun
 
Webware - 문서에서 운영 체제 까지 - 윤석찬 (2014)
Channy Yun
 
오픈 API 서비스 A to Z: Daum API를 중심으로 (윤석찬, Daum) :: API Meetup 2014
Channy Yun
 
제주 다음 스페이스.1 셀프 투어 가이드
Channy Yun
 

Recently uploaded (20)

PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
July Patch Tuesday
Ivanti
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
July Patch Tuesday
Ivanti
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 

The History and Status of Web Crypto API (2012)

  • 1. The History and Status of Web Cryptography API Channy Yun Mozilla Korean Community http://www.mozilla.or.kr
  • 2. About me • Before Daum – 1997~2004 E-Commerce • Reference: SK MusicOK, iMusicLand and YBM Tutti etc. – 1999~2004 Payment Gateway • Mypay.net, an integrated payment for SOHO business – 2001~2004 Certificate Business • Thawte.co.kr, an authorized Reseller of Thawte and Verisign Japan • In Daum – 2004~ Web Standards Evangelist • Mozilla Korean Community, Leader (2002-) • W3C HTML W/G, Invited Expert(2007-) • W3C Web Crypto API Community Group, Chair (2011-) • W3C WebCryptography W/G, Invited Expert (2012-)
  • 3. Agenda • History – Legacy: crypto.signText and CAPICOM – History: XML Signature • HTML5: from document to application – Crypto in HTML W/G – Draft: Web Crypto API • Raising Web Identity – Web Identity and BrowserID • Web Cryptography API – Public key encryption, signing message and decryption. – Use cases and key isolations • Future plan
  • 5. History: XML Signature • W3C XML Signature Syntax and Processing • http://www.w3.org/TR/xmldsig-core • From 2000, based on web services bubble • Issues on XML Canonicalization and performance in SOA applications, lacks of web based use cases • Web Activated Signature Protocol • http://webpki.org • From 2006, Based on XML signature proposed by Anders Rundgren • Issues on deprecated XML signature and lacks of primitive functions such as Javascript APIs
  • 6. From Document to Application 1995 2000 2005 2010 Web Hypertext Application Technology Working Group
  • 7. Return to W3C - HTML5 Era
  • 8. Range of HTML5 HTML5 Buzz Word CSS3 Geolocation Canvas HTML5 Offline WebRTC Web Workers Device API Web Form Markup File API Video&Audio Web Sockets WebGL Server-Sent Indexed XMLHttpRequest DOM Storage Events Database API
  • 9. Crypto in W3C HTML W/G • Simple Keygen • http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009- April/019206.html • http://www.w3.org/TR/html-markup/keygen.html • Integrates tightly with the form submission model • Issues on Microsoft has no intention of ever implementing the <keygen> element. (Crypto part was changed “optional”) • Simple form signing • http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006- October/007571.html • Strict form submission for crypto.signText <form action="sendMoney" stricted> <input type="text" name="dollars" value="3.00" signed="signed"> <input type="text" name="account" values="1234567890"> <input type="submit" value="Sending Money!"> </form>
  • 10. Draft: Web Crypto API • http://html5.creation.net/webcrypto-api/ • Focused on certificate services, but issues on identity
  • 11. Raising Web Identity • Identity Crisis • Dead of OpenID and widely usages of OAuth • Lock-in social web giants (Facebook, Twitter) • Needs of self-managed distributed Identity system • BrowserID and DOM Crypt (2011.5) • Mozilla’s new identity policy • http://identity.mozilla.com/post/7616727542/introducing- browserid-a-better-way-to-sign-in • http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011- May/031741.html
  • 12. c.f. Comparison of Identity
  • 13. Proposal of Web Identity W/G • http://www.w3.org/2011/08/webidentity-charter.html – Cryptography API • Commonly-used cryptographic primitives should be made available to web application developers via a standardized API to facilitate common operations such as asymmetric encryption key pair generation, encryption, and generation, as well as symmetric encryption, hashing, and signature verification. This work can be based upon DOMCrypt, which has already been discussed in the W3C WebApps WG, HTML WG, and IETF Web Security WG. – Web Identity Sync • This specification should specify how web application developers can synchronize of identity information across multiple devices like browsers. Synchronization should also work in the "Cloud" to support legacy browsers. Anonymous identities (i.e. an "empty" identity) and multiple identities should be supported. When possible, commonly used data- formats should be re-used and the design should take advantage of existing work such as Mozilla Sync. – Identity API • This specification should specify how web application developers access session-state information and authentication credentials to enable functionality such as easier sign-on to services. This API will build upon existing work such as the Verified Email and Session Description Protocols (BrowserID), BrowserAuth, and may optionally propose possible changes to HTML to the HTML WG as well as specify transfer of identity-related data. • WebCrypto API Community Group • http://www.w3.org/community/webcryptoapi • http://www.w3.org/community/webcryptoapi/2011/09/15/why-web-crypto-api/ • Helping W3C Standards for cryptography and certificate services.
  • 14. Web Cryptography W/G • http://www.w3.org/2011/11/webcryptography-charter.html • Primary API Features in scope are: – key generation, encryption, decryption, deletion, digital signature generation and verification, hash/message authentication codes, key transport/agreement, strong random number generation, key derivation functions, and key storage and control beyond the lifetime of a single session. In addition, the API should be asynchronous and must prevent or control access to secret key material and other sensitive cryptographic values and settings. Encryption and decryption include both symmetric and asymmetric cryptography. • Secondary API Features that may be in scope are: – control of TLS session login/logout, derivation of keys from TLS sessions, a simplified data protection function, multiple key containers, key import/export, a common method for accessing and defining properties of keys, and the lifecycle control of credentials such enrollment, selection, and revocation of credentials with a focus enabling the selection of certificates for signing and encryption. • Out of scope: – features including special handling directly for non-opaque key identification schemes, access-control mechanisms beyond the enforcement of the same-origin policy, and functions in the API that require smartcard or other device-specific behavior.
  • 15. Web Cryptography API http://www.w3.org/2012/webcrypto/WebCryptoAPI/
  • 16. • Basic – Hash – Mac – Random Number • window.crypto.getRandomValues • https://dvcs.w3.org/hg/domcrypt/raw-file/tip/Overview.html
  • 17. • Public Key Encryption • Encrypt and sign message
  • 18. • Decrypt a received blob • Sign and verify
  • 19. • Major Functions – Signature, MAC, Public Key Encryption, Symmetric Encryption and Hash • Requirements – a standard, cross-browser API – the speed of native crypto implementation – the security of isolating the keys from JavaScript code – persistent key storage and access to system cert/key • Use Cases – http://www.w3.org/wiki/NetflixWebCryptoUseCase – http://www.w3.org/wiki/KoreaWebCryptoUseCase
  • 20. Collecting use cases • Primary features • Secure messaging • Encrypted web applications • Storing local storage • Encrypted bill • Client authentications • Secondary features • Financial Transaction: Online bank • Credit card process • SSL VPN • Handling S/MIME mail • Handling XML Encryption • http://www.w3.org/community/webcryptoapi/wiki/Use_Cases
  • 21. Key isolations proposed by Ryan Sleevi • Origin-bound: – generated via .generateKey() bound to a single origin with short-lived (session cookie style?) • Use case: DHE/ECDHE/PAKE key agreement for opportunistic encryption of chat over Websockets, where the intermediary is not trusted. • Use case: Perhaps some binding of a user login/cookie data to some encrypted context. The key is only as useful as long as the cookie lives, and vice-versa. • Persistent: – effectively super-cookie that might apply to cookies/cache/other data. • Use case: "identity key" with a service might be used for mail signing, HTML5 file storage, online chat, etc. single origin or shared with multiple origins – Keys may be stored in software (managed by the UA), in the OS or some global key store (making them available to other applications beyond the UA), in "the cloud" as part of some sync service, or even stored on another device such as TPM or smart card. • Use Case: For embedders (such as Netflix), for purchase USB TPMs • High Value: – a strong correlation to certain high value transactions - particularly where force of law is involved. Unlike the above 'persistent' keys, HVKs are strongly correlated to identity, and may reflect government or financial services issuance. • Use Case: Signing a legal document - tax forms, contract, performing 'sensitive' transactions (bank transaction confirmation, etc)
  • 22. Future Plan • Secondary API spec – aka. Web Certificate Service API – TLS login/out, key management including import/export and signing/verification – Discussions for smartcard and USB token • Get started – Join W3C WebCryptography W/G • http://lists.w3.org/Archives/Public/public-webcrypto/ – Join W3C WebCrypto API Community Group • http://www.w3.org/community/webcryptoapi/
  • 23. References in Korean 1. 액티브X 없이 공인인증서 쓴다 http://www.zdnet.co.kr/news/news_view.asp?artice_id=2 0120323121226 2. 공인인증서 액티브X와 결별하려면 http://www.zdnet.co.kr/news/news_view.asp?artice_id=2 0120329124248 3. 전자서명 웹 표준화 안되나? http://channy.creation.net/blog/884 4. ActiveX 걷어낼 웹표준 만든다 http://blog.creation.net/519 5. WebCrypto API의 현재와 미래 http://channy.creation.net/blog/884
  • 24. Thanks for listening: Q&A Channy Yun Twitter: @channyun E-mail: [email protected] Blog: http://channy.creation.net