Security Analysis of the W3C Web Cryptography API | SpringerLink
Skip to main content
Springer Nature Link
Log in

Security Analysis of the W3C Web Cryptography API

  • Conference paper
  • First Online:
Security Standardisation Research (SSR 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10074))

Included in the following conference series:

Abstract

Due to the success of formal modeling of protocols such as TLS, there is a revival of interest in applying formal modeling to standardized APIs. We argue that formal modeling should happen as the standard is being developed (not afterwards) as it can detect complex or even simple attacks that the standardization group may not otherwise detect. As a case example of this, we discuss in detail the W3C Web Cryptography API. We demonstrate how a formal analysis of the API using the modeling language AVISPA with a SAT solver demonstrates that while the API has no errors in basic API operations and maintains its security properties for the most part, there are nonetheless attacks on secret key material due to how key wrapping and usages are implemented. Furthermore, there were a number of basic problems in terms of algorithm selection and a weakness that led to a padding attack. The results of this study led to the removal of algorithms before its completed standardization and the removal of the padding attack via normalization of error codes, although the key wrapping attack is still open. We expect this sort of formal methodology to be applied to new standardization efforts at the W3C such as the W3C Web Authentication API.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    http://www.w3.org/2012/webcrypto/.

  2. 2.

    http://matasano.com/articles/javascript-cryptography/.

  3. 3.

    https://crypto.cat/.

  4. 4.

    http://openpgpjs.org/.

  5. 5.

    See the results of the 2014 penetration testing report by Cure53.de available here: https://cure53.de/pentest-report_openpgpjs.pdf.

  6. 6.

    The workshop was called ‘Identity in the Browser,’ archived at http://www.w3.org/2011/identity-ws/.

  7. 7.

    https://www.w3.org/2011/webappsec/.

  8. 8.

    http://www.w3.org/TR/WebIDL/.

  9. 9.

    See https://developer.mozilla.org/en-US/docs/DOM.

  10. 10.

    See http://www.w3.org/TR/IndexedDB/.

  11. 11.

    http://www.avispa-project.org/.

  12. 12.

    The formal semantics of AVISPA’s higher-level HLPSL that subsumes IF are out of scope but are given here: http://www.avispa-project.org/delivs/2.1/d2-1.pdf.

  13. 13.

    Throughout this paper we omit many AVISPA-specific constructs in order to focus on the underlying model. This includes statements that are necessary for modeling protocols but not APIs, but will nonetheless cause errors if omitted. The complete rules are available here: http://www.w3.org/2012/webcrypto/webcrypto_if_files.tgz.

  14. 14.

    Note as of September 2016, the 2014 report is currently under revision.

  15. 15.

    http://www.ietf.org/mail-archive/web/tls/current/msg12362.html.

  16. 16.

    http://safecurves.cr.yp.to/.

  17. 17.

    https://www.w3.org/2012/webcrypto/draft-irtf-cfrg-webcrypto-algorithms-01.html.

  18. 18.

    https://sites.google.com/site/itstheshappening/.

  19. 19.

    Such as ARM TrustZone.

  20. 20.

    http://www.fidoalliance.org.

  21. 21.

    For details of the W3C Web Cryptography v.Next workshop that dealt with hardware tokens, FIDO, and trusted execution environments, see http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/.

  22. 22.

    http://theupdateframework.com/.

  23. 23.

    https://www.w3.org/TR/webauthn.

References

  1. Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J.A., Heninger, N., Springall, D., Thomé, E., Valenta, L., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 5–17. ACM (2015)

    Google Scholar 

  2. Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium, CSF 2010, pp. 290–304. IEEE Computer Society, Washington, DC, USA (2010)

    Google Scholar 

  3. Sleevi, R., Watson, M.: Web Cryptography API. Candidate recommendation, IETF (2014). http://www.w3.org/TR/WebCryptoAPI/

  4. Bansal, C., Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Keys to the cloud: formal analysis and concrete attacks on encrypted web storage. In: Basin, D., Mitchell, J.C. (eds.) POST 2013. LNCS, vol. 7796, pp. 126–146. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36830-1_7

    Chapter  Google Scholar 

  5. Bardou, R., Focardi, R., Kawamoto, Y., Simionato, L., Steel, G., Tsay, J.-K.: Efficient padding oracle attacks on cryptographic hardware. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 608–625. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_36

    Chapter  Google Scholar 

  6. Barth, A., Veditz, D., West, M.: Content Security Policy level 1.1. Working draft, W3C (2012). http://www.w3.org/TR/2014/WD-CSpp. 11-20140211/

  7. Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006). doi:10.1007/11818175_36

    Chapter  Google Scholar 

  8. Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). doi:10.1007/3-540-68339-9_34

    Google Scholar 

  9. Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zinzindohoue, J.K.: A messy state of the union: taming the composite state machines of TLS. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 535–552. IEEE (2015)

    Google Scholar 

  10. Bhargavan, K., Lavaud, A.D., Fournet, C., Pironti, A., Strub, P.-Y.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 98–113. IEEE (2014)

    Google Scholar 

  11. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of the 14th IEEE Workshop on Computer Security Foundations, CSFW 2001, pp. 82–96. IEEE Computer Society, Washington, DC, USA (2001)

    Google Scholar 

  12. Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998). doi:10.1007/BFb0055716

    Chapter  Google Scholar 

  13. Bond, M., Anderson, R.: API-level attacks on embedded systems. Computer 34(10), 67–75 (2001)

    Article  Google Scholar 

  14. Boneh, D., Shparlinski, I.E.: On the unpredictability of bits of the elliptic curve Diffie-Hellman scheme. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 201–212. Springer, Heidelberg (2001). doi:10.1007/3-540-44647-8_12

    Chapter  Google Scholar 

  15. Braun, F., Akhawe, D., Weinberger, J., West, M.: Subresource Integrity. Working draft, W3C (2014). http://www.w3.org/TR/SRI/

  16. Cremers, C.J.F.: The Scyther tool: verification, falsification, and analysis of security protocols. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 414–418. Springer, Heidelberg (2008). doi:10.1007/978-3-540-70545-1_38

    Chapter  Google Scholar 

  17. Delaune, S., Kremer, S., Steel, G.: Formal security analysis of PKCS#11 and proprietary extensions. J. Comput. Secur. 18(6), 1211–1245 (2010)

    Article  Google Scholar 

  18. Dennis, G., Chang, F.S.-H., Jackson, D.: Modular verification of code with SAT. In: Proceedings of the ACM/SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2006, 17–20 July 2006, Portland, Maine, USA, pp. 109–120 (2006)

    Google Scholar 

  19. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)

    Article  MathSciNet  MATH  Google Scholar 

  20. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 38–49. ACM, New York (2012)

    Google Scholar 

  21. Halpin, H.: The W3C web cryptography API: motivation and overview. In: Proceedings of the Companion Publication of the 23rd International Conference on World Wide Web Companion, WWW Companion 2014, pp. 959–964, Republic and Canton of Geneva, Switzerland. International World Wide Web Conferences Steering Committee (2014)

    Google Scholar 

  22. Jackson, D.: Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol. 11(2), 256–290 (2002)

    Article  Google Scholar 

  23. Jager, T., Schinzel, S., Somorovsky, J.: Bleichenbacher’s attack strikes again: breaking PKCS#1 v1.5 in XML encryption. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 752–769. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33167-1_43

    Chapter  Google Scholar 

  24. Kaliski, B.: PKCS #7: Cryptographic Message Syntax. RSA Security Inc., v1.5. https://www.ietf.org/rfc/rfc2315.txt

  25. Kaminsky, A., Kurdziel, M., Radziszowski, S.: An overview of cryptanalysis research for the advanced encryption standard. In: 2010 Military Communications Conference - MILCOM 2010 (2010)

    Google Scholar 

  26. Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14623-7_34

    Chapter  Google Scholar 

  27. Künnemann, R., Steel, G.: YubiSecure? Formal security analysis results for the Yubikey and YubiHSM. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 257–272. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38004-4_17

    Chapter  Google Scholar 

  28. Laurie, B., Langley, A., Kasper, E.: RFC 6962 Certificate Transparency. Experimental, IETF (2013). https://tools.ietf.org/html/rfc6962

  29. Mitchell, C.J.: Error Oracle attacks on CBC mode: is there a future for CBC mode encryption? In: Zhou, J., Lopez, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 244–258. Springer, Heidelberg (2005). doi:10.1007/11556992_18

    Chapter  Google Scholar 

  30. Near, J.P., Jackson, D.: Derailer: interactive security analysis for web applications. In: Proceedings of the 29th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 587–598. IEEE/ACM (2014)

    Google Scholar 

  31. Paterson, K.G., Yau, A.: Padding Oracle attacks on the ISO CBC mode encryption standard. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 305–323. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24660-2_24

    Chapter  Google Scholar 

  32. Perrin, T.: Web Cryptography API. Editor’s draft, W3C (2014). http://github.com/trevp/curve25519_webcrypto

  33. Rizzo, J.: Duong., T.: Practical padding Oracle attacks. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, WOOT 2010, pp. 1–8. USENIX Association, Berkeley, CA, USA (2010)

    Google Scholar 

  34. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). doi:10.1007/11761679_23

    Chapter  Google Scholar 

  35. Rogaway, P.: Evaluation of some blockcipher modes of operation. Technical report, University of California, Davis, Evaluation carried out for the Cryptography Research and Evaluation Committees (CRYPTREC) for the Government of Japan, February 2011

    Google Scholar 

  36. Schmidt, B., Sasse, R., Cremers, C., Basin, D.: Automated verification of group key agreement protocols. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 179–194. IEEE (2014)

    Google Scholar 

  37. Smart, N.P., Rijmen, V., Warinschi, B., Watson, G., Patterson, K., Stam, M.: Algorithms, key sizes and parameters report: 2014 recommendations. Technical report, November 2014. ENISA Report. Version 1.0

    Google Scholar 

  38. Stark, E., Hamburg, M., Boneh, D.: Symmetric cryptography in Javascript. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 373–381. IEEE Computer Society, Washington, DC, USA (2009)

    Google Scholar 

  39. Taly, A., Erlingsson, Ú., Mitchell, J.C., Miller, M.S., Nagra, J.: Automated analysis of security-critical Javascript APIs. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP 2011, pp. 363–378. IEEE Computer Society, Washington, DC, USA (2011)

    Google Scholar 

  40. Torlak, E., Taghdiri, M., Dennis, G., Near, J.P.: Applications and extensions of alloy: past, present and future. Math. Struct. Comput. Sci. 23(4), 915–933 (2013)

    Article  MathSciNet  Google Scholar 

  41. Vaudenay, S.: Security flaws induced by CBC padding — applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002). doi:10.1007/3-540-46035-7_35

    Chapter  Google Scholar 

  42. Wen, C.C., Dawson, E., González Nieto, J.M., Simpson, L.: A framework for security analysis of key derivation functions. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 199–216. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29101-2_14

    Chapter  Google Scholar 

  43. Yao, F.F., Yin, Y.L.: Design and analysis of password-based key derivation functions. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 245–261. Springer, Heidelberg (2005). doi:10.1007/978-3-540-30574-3_17

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Washington State University, PO Box 442, Seattle, Washington, 98194, USA

    Kelsey Cairns

  2. INRIA, 2 Simone Iff, 75012, Paris, France

    Harry Halpin

  3. Cryptosense, 19 Boulevard Poissonnire, 75022, Paris, France

    Graham Steel

Authors
  1. Kelsey Cairns
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Harry Halpin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Graham Steel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Harry Halpin .

Editor information

Editors and Affiliations

  1. Computer Security Division, NIST, Gaithersburg, Maryland, USA

    Lidong Chen

  2. Cisco Systems Inc., San Jose, USA

    David McGrew

  3. University of London, Egham, United Kingdom

    Chris Mitchell

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Cairns, K., Halpin, H., Steel, G. (2016). Security Analysis of the W3C Web Cryptography API. In: Chen, L., McGrew, D., Mitchell, C. (eds) Security Standardisation Research. SSR 2016. Lecture Notes in Computer Science(), vol 10074. Springer, Cham. https://doi.org/10.1007/978-3-319-49100-4_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-49100-4_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-49099-1

  • Online ISBN: 978-3-319-49100-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics