MozillaWiki

Privacy/Features/DOMCryptAPI/UseCases: Difference between revisions

Page Discussion

Privacy/Features/DOMCryptAPI/UseCases (view source)

Revision as of 18:40, 6 December 2011

275 bytes removed ,  6 December 2011
→‎Hashing
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
== DOMCrypt API Use Cases ==
== DOMCrypt API Use Cases ==
Back to DOMCrypt Draft Spec: https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest


=== Messaging ===
=== Messaging ===


* Natasha and Boris would like to message one another privately via a web application. The server is untrusted and all message data that Natasha sends to the server should be encrypted so only Boris can read it after downloading. A server compromise will net the server's attacker only blobs of useless data. This web application will use the Public Key API: '''window.cipher.pk.*'''  
* Deuxdrop ( https://wiki.mozilla.org/Labs/Deuxdrop ), a project from Mozilla Labs would benefit from the DOMCrypt API.
* Boot2Gecko apps will benefit greatly from the DOMCrypt API, as the only thing to consume is the DOM and all of the APIs we provide.
** Example: Natasha and Boris would like to message one another privately via a web application. The server is untrusted and all message data that Natasha sends to the server should be encrypted so only Boris can read it after downloading. A server compromise will net the server's attacker only blobs of useless data. This web application will use the Public Key API: '''window.cipher.pk.*'''  


Example Code:
Example Code:
Line 12: Line 16:
var plainText = "Hey, wanna grab a root beer with me after work?";
var plainText = "Hey, wanna grab a root beer with me after work?";


window.cipher.pk.encrypt(plainText, publicKey, function callback(aCipherMessage) {
window.crypto.pk.encrypt(plainText, publicKey, function callback(aCipherMessage) {
   // Asynchronous crypto API - the plainText is encrypted and the CipherMessage object is returned to this callback function
   // Asynchronous crypto API - the plainText is encrypted and the CipherMessage object is returned to this callback function
   // aCipherMessage is a JS object literal:  
   // aCipherMessage is a JS object literal:  
Line 24: Line 28:
</pre>
</pre>


=== General Purpose Symmetric Crypto ===
=== Symmetric Crypto via Diffie-Hellman Key Exchange ===
 
* A web developer would like to use localStorage or IndexedDB in her diary web application, but would really like all data stored locally to be encrypted should the machine get stolen or 'borrowed' by an unauthorized user.


Example Code:
* TBD


<pre class="brush:js;toolbar:false;">
<pre class="brush:js;toolbar:false;">
// create an encryption key and keep it around for later use - perhaps it is also saved to the server...
  // This API is under development
 
window.cipher.sym.generateKey(function callback(key){
  document.currentKey = key;
  diaryApp.saveKeyToServer(key);
});
 
// save the current diary entry:
var diaryEntry = document.getElementById("diary-entry").textContent;
 
window.cipher.sym.encrypt(diaryEntry, document.currentKey, function callback(cipherText) {
  var entryID = diaryApp.getSequence();
  localStorage.setItem(entryID, cipherText);
  alert("Diary entry saved successfully");
});
 
// decryption
 
window.cipher.sym.decrypt(localStorage.getItem(entryID), document.currentKey, function callback(plainText) {
  document.getElementById("diary-entry").textContent = plainText;
});
</pre>
</pre>


Line 58: Line 40:
SHA 256 hashes are handy for storing passwords and generating checksums (among other uses)
SHA 256 hashes are handy for storing passwords and generating checksums (among other uses)


Example code:
Example code uses the hashing API, using the constructor '''window.crypto.hash'''


<pre class="brush:js;toolbar:false;">
<pre class="brush:js;toolbar:false;">
var myPassword = "5ekr3tPa55w0rd";


window.cipher.hash.SHA256(myPassword, function callback(aHash) {
var hasher = new window.crypto.hash("RS256");
   myApp.doSomethingWithAHash(aHash);
var myData = "1234567890abcdefghijklmnopqrstuwxyz";
});
var arrBufferView = new Int8Array(myData.length);
 
for (var i = 0; i < myData.length; i++) {
   arrBufferView[i] = myData.charCodeAt(i);
}
 
hasher.append(arrBufferView);
 
var hashed = hasher.finish();


// Another idea: generating a file checksum in conjunction with the FileAPI
// Another idea: generating a file checksum in conjunction with the FileAPI
Line 81: Line 70:
=== Signing APIs that would allow S. Korean web users to use any browser for online banking ===
=== Signing APIs that would allow S. Korean web users to use any browser for online banking ===


* on the WHAT-WG mailing list, this was brought up. The API as spec'd is part of the way there, but needs additional research and API methods
* on the WHAT-WG mailing list, this was brought up. The API as spec'd is part of the way there, but needs additional research and API methods http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-May/031789.html
** NEED EXAMPLES
** NEED EXAMPLES
Ddahl
564

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/314337...376164"