Open Bug 1479487 Opened 6 years ago Updated 6 months ago

WebCrypto Design issue for AES GCM

Categories

(Core :: DOM: Web Crypto, defect, P3)

61 Branch
defect

Tracking

()

People

(Reporter: antonio.sanso, Unassigned)

References

(Blocks 1 open bug, )

Details

(Whiteboard: [domsecurity-backlog2] )

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180704003137

Steps to reproduce:

Instant Demo in 

https://asanso.github.io/firefox/aesgcm.html


Actual results:

IMHO the Webcrypto API has a design issue (at least in the AES GCM case).
As you might see from the code in https://asanso.github.io/firefox/aesgcm.html I have created a wrapping key that has only  ["wrapKey" ] usage. It should not be possible to recover back the aeskey using  ["unwrapKey" ].
This is indeed the case. But given the fact the Webcrypto API allow to pass an explicit IV it is trivial in the AES GCM to recover back the aes key using "wrapKey"  again. See https://cryptosense.com/blog/attacks-on-key-wrapping-in-pkcs11-v2-40/ for the equivalent issue  in the HSM case.
Franziskus, can you involve the right people here now that Tim's gone?
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Security
Flags: needinfo?(franziskuskiefer)
Product: Firefox → Core
I guess I'm the right people.

Thanks Antonia for reporting. I agree this isn't great but it's a spec issue rather than a Firefox issue.
I don't see anything in the spec that would allow us to ignore the IV when wrapping keys. I filed a spec issue to add a note on IV re-use issues.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(franziskuskiefer)
Whiteboard: [domsecurity-backlog2]
Wasn't the whole point of the WebCrypto "subtle" naming to point out that you can really screw up everything in there if you don't know what you're doing? There were those who didn't even want any of that to be in the API, just a foolproof simple API with safe defaults--but that wouldn't allow people to write crypto that interfaced with existing implementations.

Since the issue is public on github (and likely argued about during the writing of the spec) we don't need to keep this hidden.
Group: dom-core-security
Priority: -- → P3
Component: DOM: Security → DOM: Web Crypto
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.