Skip to content

Secure Curves in WebCrypto #46

Closed
Closed
@twiss

Description

Introduction

The Web Cryptography API currently only specifies the NIST P-256, P-384, and P-521 curves, and does not specify any "safe curves". Among the safe curves, Curve25519 and Curve448 have gained the most traction, and have been specified for use in TLS 1.3, for example. They have also been recommended by the Crypto Forum Research Group (CFRG) of the Internet Research Task Force (IRTF), and are expected to be approved by NIST.

In addition, Node.js has implemented a nonstandard extension to Web Crypto, adding Curve25519 and Curve448 under a vendor-prefixed name. We would like to avoid other implementations doing the same, and encourage intercompatibility going forward by providing a standard specification.

Today, web developers are getting around the unavailability of Curve25519 and Curve448 in the browser either by using less secure curves, or by including an implementation of Curve25519 and/or Curve448 in JavaScript or WebAssembly. In addition to wasting bandwidth shipping algorithms that are already included in browsers that implement TLS 1.3, this practice also has security implications, e.g. side-channel attacks as studied by Daniel Genkin et al.

We propose solving the above problem by adding support for Curve25519 and Curve448 algorithms in the Web Cryptography API, namely the signature algorithms Ed25519 and Ed448, and the key agreement algorithms X25519 and X448.

Read the complete Explainer.

See the Draft Specification.

Feedback

I welcome feedback in this thread, but encourage you to file bugs against the Explainer.

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions