Secure Curves in WebCrypto #46
Comments
|
I can confirm implementer interest in Node.js and in Cloudflare Workers. (Context) Further, I suggest to consider including the HashEdDSA variants (namely, Ed25519ph and Ed448ph) in addition to the PureEdDSA variants (namely, Ed25519 and Ed448), see WICG/webcrypto-secure-curves#5. |
|
I likewise support adoption of this draft, I am in a position to enable its implementation in the Node.js runtime as well as a universal JOSE library for developers to be able to take advantage of EdDSA in JWS and ECDH-ES using X* functions in JWE. |
|
We're interested too (Deno), and will be implementing this if it lands. |
|
Seems like there's enough support for this to be incubated! \o/ Feel free to transfer the repo to me, and I can move it to the WICG org. |
|
Great, thanks! Transfer requested :) |
|
Repo is now live at https://github.com/WICG/webcrypto-secure-curves |
|
🎉 Thanks! Could you update the URL in the "About" section of the repo to https://wicg.github.io/webcrypto-secure-curves/, or give me access to do so, by any chance? |
|
You should have permissions now |
|
🙏 Thanks! |
Introduction
The Web Cryptography API currently only specifies the NIST P-256, P-384, and P-521 curves, and does not specify any "safe curves". Among the safe curves, Curve25519 and Curve448 have gained the most traction, and have been specified for use in TLS 1.3, for example. They have also been recommended by the Crypto Forum Research Group (CFRG) of the Internet Research Task Force (IRTF), and are expected to be approved by NIST.
In addition, Node.js has implemented a nonstandard extension to Web Crypto, adding Curve25519 and Curve448 under a vendor-prefixed name. We would like to avoid other implementations doing the same, and encourage intercompatibility going forward by providing a standard specification.
Today, web developers are getting around the unavailability of Curve25519 and Curve448 in the browser either by using less secure curves, or by including an implementation of Curve25519 and/or Curve448 in JavaScript or WebAssembly. In addition to wasting bandwidth shipping algorithms that are already included in browsers that implement TLS 1.3, this practice also has security implications, e.g. side-channel attacks as studied by Daniel Genkin et al.
We propose solving the above problem by adding support for Curve25519 and Curve448 algorithms in the Web Cryptography API, namely the signature algorithms Ed25519 and Ed448, and the key agreement algorithms X25519 and X448.
Read the complete Explainer.
See the Draft Specification.
Feedback
I welcome feedback in this thread, but encourage you to file bugs against the Explainer.
The text was updated successfully, but these errors were encountered: