The Web Platform
March 7–8, 2016: Training
March 8–10, 2016: Conference
San Francisco, CA

Web cryptography workshop

Charles Engelke (Google, LLC), Laurie White (Google, LLC)
9:00am–10:30am Tuesday, 03/08/2016
Security Salon 1/2
Average rating: *****
(5.00, 4 ratings)

Prerequisite knowledge

Participants should be familiar with the basic concepts of public-key cryptography and digital signatures, have enough JavaScript experience to understand concepts like callbacks, and be able to use the developer console in a modern web browser.

Materials or downloads needed in advance

Participants must have a recent version of the Google Chrome, Mozilla Firefox, Opera, or Microsoft Edge web browser and any text editor on a Windows, Linux, or OS X computer (as of this writing, Apple Safari does not support the Candidate Recommendation API). You should also clone the talk's GitHub repository and follow preparation instructions there. A small part of the workshop will be specific to Internet Explorer 11's not-quite-standard version of the API; you'll need Internet Explorer 11 installed on a Windows computer or virtual machine to do those exercises.

Description

The Web Cryptography API brings strong cryptography to standard web browsers without plugins, opening up new opportunities for frontend applications. Charles Engelke and Laurie White demonstrate how to build some of those applications. All you need is a computer with a recent web browser, a text editor, and a file system.

This is a hands-on workshop. By the end, you’ll have written JavaScript code to use standard web browsers with no special plugins to perform symmetric and public-key encryption and decryption and to create and verify digital signatures, which can become a starting point for production code. This enables end-to-end secrecy and authentication between any two users who have standard web browsers on any platform, including mobile or Chrome OS.

Topics include:

  • The use cases for cryptography in the browser
  • An overview of the Web Cryptography API and required JavaScript features to support it
  • Symmetric encryption: encrypt and decrypt messages entered by the user, first with a shared key and then with a shared password/pass-phrase
  • Public-key cryptography: key-pair creation, storage, import, and export
  • Digital signatures: create digital signatures for users’ messages or files, share the public key with others, have those others verify the authenticity of the messages
  • Asymmetric encryption: encrypt and decrypt user messages, but using public keys to encrypt and private keys to decrypt
  • X.509 certificates: certificate signing requests, certificate creation, and certificate use for encryption and digital-signature verification
  • Legacy support for Internet Explorer: IE 11 has a good implementation of an early version of the API. It is possible to use it for most functions in a way that can interoperate with current browsers that support the Candidate Recommendation API. Charles and Laurie will show you how.
Photo of Charles Engelke

Charles Engelke

Google, LLC

Charles Engelke is a Senior Developer Programs Engineer at Google Cloud, focused on application development for the cloud. Prior to coming to Google, he was the CTO of Info Tech, Inc., where he led the effort to bring sealed bidding to the Internet and led teams that build several other native, web, and mobile applications.

Photo of Laurie White

Laurie White

Google, LLC

Laurie White is a Senior Developer Advocate at Google Cloud, focusing on helping higher education use the cloud and Professor Emeritus of Computer Science at Mercer University. During her career as a professor, she taught a wide variety of subjects in computer science, ranging from introductory programming to programming languages, software engineering, compiler design, discrete mathematics, and theory of computation.