Cryptography in the Browser

Charles Engelke (Info Tech, Inc.)
2:15pm–2:45pm Wednesday, 04/22/2015
Security
Location: Salon 12/13/14/15
Average rating: ****.
(4.00, 4 ratings)
Slides:   1-PDF 

THIS SESSION HAS REQUIREMENTS AND INSTRUCTIONS LISTED BELOW

Browser-based JavaScript applications rarely use strong cryptography. That’s partly because SSL/TLS can secure and authenticate connections, eliminating some (though not all) reasons to use cryptography in the browser. But it’s primarily because JavaScript and the browser did not make a good platform for cryptography. That is changing with the new Web Cryptography API, which opens up new opportunities for front-end applications.

My company has been building applications and services using public-key cryptography since the 1990s, but we haven’t been able to deploy them in web browsers without plugins until now. The Web Cryptography API makes it feasible to perform the necessary cryptography in the browser, but there are still significant challenges in building a real application around it. This talk comes from our work to do just that.

Topics addressed in this talk:

  • Use cases for cryptography in the browser.
  • Requirements for good cryptography that have been hard for browsers to meet.
  • Overview of the Web Cryptography API. Why most of the API is called “subtle”.
  • Recent JavaScript features needed to use the API: Typed Arrays and Promises.
  • Key generation, public key encryption, and digital signature code samples.
  • Addressing challenges not directly met by the API, including key storage and working with X.509.
  • Possible future directions for the API.

SESSION REQUIREMENTS AND INSTRUCTIONS FOR ATTENDEES

Familiarity with the basic concepts of public key cryptography and digital signatures and enough JavaScript to understand concepts like callbacks.

Photo of Charles Engelke

Charles Engelke

Info Tech, Inc.

As the CTO of Info Tech, Inc., Charles Engelke led the effort to bring sealed bidding to the Internet, which requires public key cryptography to maintain the seal and provide digital signatures. As a result, native code solutions have handled more than US $1 trillion in US state highway and bridge construction bids so far. He is now working with a team to develop browser-based bidding software that uses the Web Cryptography API.