The Web Platform
March 7–8, 2016: Training
March 8–10, 2016: Conference
San Francisco, CA

Web cryptography workshop

Charles Engelke (Info Tech, Inc.), Laurie White (Mercer University)
9:00am–10:30am Tuesday, 03/08/2016
Security Salon 1/2
Average rating: *****
(5.00, 4 ratings)

Prerequisite knowledge

Participants should be familiar with the basic concepts of public-key cryptography and digital signatures, have enough JavaScript experience to understand concepts like callbacks, and be able to use the developer console in a modern web browser.

Materials or downloads needed in advance

Participants must have a recent version of the Google Chrome, Mozilla Firefox, Opera, or Microsoft Edge web browser and any text editor on a Windows, Linux, or OS X computer (as of this writing, Apple Safari does not support the Candidate Recommendation API). You should also clone the talk's GitHub repository and follow preparation instructions there. A small part of the workshop will be specific to Internet Explorer 11's not-quite-standard version of the API; you'll need Internet Explorer 11 installed on a Windows computer or virtual machine to do those exercises.

Description

The Web Cryptography API brings strong cryptography to standard web browsers without plugins, opening up new opportunities for frontend applications. Charles Engelke and Laurie White demonstrate how to build some of those applications. All you need is a computer with a recent web browser, a text editor, and a file system.

This is a hands-on workshop. By the end, you’ll have written JavaScript code to use standard web browsers with no special plugins to perform symmetric and public-key encryption and decryption and to create and verify digital signatures, which can become a starting point for production code. This enables end-to-end secrecy and authentication between any two users who have standard web browsers on any platform, including mobile or Chrome OS.

Topics include:

  • The use cases for cryptography in the browser
  • An overview of the Web Cryptography API and required JavaScript features to support it
  • Symmetric encryption: encrypt and decrypt messages entered by the user, first with a shared key and then with a shared password/pass-phrase
  • Public-key cryptography: key-pair creation, storage, import, and export
  • Digital signatures: create digital signatures for users’ messages or files, share the public key with others, have those others verify the authenticity of the messages
  • Asymmetric encryption: encrypt and decrypt user messages, but using public keys to encrypt and private keys to decrypt
  • X.509 certificates: certificate signing requests, certificate creation, and certificate use for encryption and digital-signature verification
  • Legacy support for Internet Explorer: IE 11 has a good implementation of an early version of the API. It is possible to use it for most functions in a way that can interoperate with current browsers that support the Candidate Recommendation API. Charles and Laurie will show you how.
Photo of Charles Engelke

Charles Engelke

Info Tech, Inc.

As the CTO of Info Tech, Inc., Charles Engelke led the effort to bring sealed bidding to the Internet, which requires public-key cryptography to maintain the seal and provide digital signatures. As a result, native-code solutions have handled more than $1 trillion in US state highway and bridge construction bids so far. Charles is now working with a team to develop browser-based bidding software that uses the Web Cryptography API.

Photo of Laurie White

Laurie White

Mercer University

Laurie White has taught a wide variety of subjects in computer science, ranging from introductory programming to programming languages, software engineering, compiler design, discrete mathematics, and theory of computation, most recently as a professor of computer science at Mercer University. Laurie has done extensive curriculum development for the Advanced Placement Computer Science program, run workshops on programming tools and APCS, and served four years as the chair of the APCS Development Committee, which defines the AP curriculum and tests.