New issue
Advanced search Search tips

Issue 868929 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Aug 13
Cc:
eroman@chromium.org
rsleevi@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

WebCrypto Design issue for AES GCM

Reported by antonio....@gmail.com, Jul 30 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Steps to reproduce the problem:
Instant Demo in 

https://asanso.github.io/firefox/aesgcm.html

What is the expected behavior?

What went wrong?
IMHO the Webcrypto API has a design issue (at least in the AES GCM case).
As you might see from the code in https://asanso.github.io/firefox/aesgcm.html I have created a wrapping key that has only  ["wrapKey" ] usage. It should not be possible to recover back the aeskey using  ["unwrapKey" ].
This is indeed the case. But given the fact the Webcrypto API allow to pass an explicit IV it is trivial in the AES GCM to recover back the aes key using "wrapKey"  again. See https://cryptosense.com/blog/attacks-on-key-wrapping-in-pkcs11-v2-40/ for the equivalent issue  in the HSM case.

Did this work before? N/A 

Does this work in other browsers? No

Chrome version: 67.0.3396.99  Channel: n/a
OS Version: OS X 10.13.3
Flash Version:

Comment 1 by antonio....@gmail.com, Jul 30 

may you please delete this issue or make not public ? i published here by mistake..

Comment 2 by agl@chromium.org, Jul 30

Labels: Restrict-View-SecurityTeam
(Restricting as requested.)

Comment 3 by antonio....@gmail.com, Jul 30 

Thanks @agl . Whoever will take this might also want to change the component to Blink - WebCrypo (As was my original plan before screwing things up :S)

Comment 4 by agl@chromium.org, Jul 30

Components: Blink>WebCrypto

Comment 5 by agl@chromium.org, Jul 30

Cc: eroman@chromium.org rsleevi@chromium.org

Comment 6 by eroman@chromium.org, Jul 30

Labels: -OS-Mac
> Does this work in other browsers? No

Note that this is not specific to Chrome - other implementations (including Firefox) work this way, since the spec lets the user control the IV used during encryption.

Comment 7 by antonio....@gmail.com, Jul 31 

@eroman

Yeah I know. As said above this bug was not ready to be filed. For some reason I clicked submit too early. Of course you are right about Firefox. I reported as well to them and they already filed https://github.com/w3c/webcrypto/issues/209

Comment 8 by eroman@chromium.org, Jul 31 

Ah understood!

I will defer the design question to Ryan then.
The W3C bug tracker is probably the better place to continue that discussion.

Comment 9 by antonio....@gmail.com, Aug 13 

Hi guys, it would be great to hear some opinion.... :)

Comment 10 by rsleevi@chromium.org, Aug 13

Status: WontFix (was: Unconfirmed)
Marking as WontFix, to continue discussion upstream.

Comment 11 by antonio....@gmail.com, Aug 13 

Thanks a lot Ryan. It would actually be great get your opinion (here or upstream is the same :))
Project Member

Comment 12 by sheriffbot@chromium.org, Nov 19

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment