Web-Signatures using WebCrypto++

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Web-Signatures using WebCrypto++

Anders Rundgren-2
https://mobilepki.org/WCPPSignatureDemo

Primary features;
- No installation of signature plugins, the code is supplied as a part of the RP web.
- No relying party direct access to keys, postMessage

Limitations:
- Not possible to use with existing smart cards
- Requires substantial updates of platforms

This is an early version that requires Chrome or Firefox beta.

Anders

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Web-Signatures using WebCrypto++

Jaroslav Imrich
Hello Anders,

I've just walked through your demo and I am not exactly sure what I've seen. Could you please describe the demo in more detail? Where is my signing key stored? What application (browser, server etc.) is executing crypto primitives? How does entered PIN protect access to the signing key? Of course I could explore your source code to find out the answers but if you can spare some time let's just assume I am regular user of "traditional web signature apps" (the ones that require java applet or ActiveX component to access private key). Thanks a lot

Regards, Jaroslav


On Mon, Nov 17, 2014 at 7:53 PM, Anders Rundgren <[hidden email]> wrote:
https://mobilepki.org/WCPPSignatureDemo

Primary features;
- No installation of signature plugins, the code is supplied as a part of the RP web.
- No relying party direct access to keys, postMessage

Limitations:
- Not possible to use with existing smart cards
- Requires substantial updates of platforms

This is an early version that requires Chrome or Firefox beta.

Anders

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Web-Signatures using WebCrypto++

Anders Rundgren-2
On 2014-11-17 20:45, Jaroslav Imrich wrote:
> Hello Anders,

Hi Jaroslav,

> I've just walked through your demo and I am not exactly sure what I've seen.
 > Could you please describe the demo in more detail? Where is my signing key stored?
 > What application (browser, server etc.) is executing crypto primitives?
 > How does entered PIN protect access to the signing key?
 > Of course I could explore your source code to find out the answers but
 > if you can spare some time let's just assume I am regular user of
 > "traditional web signature apps" (the ones that require java applet or
 > ActiveX component to access private key). Thanks a lot

The demo uses WebCrypto (browser-based crypto) but since WebCrypto
does not support signatures in a useful way I created WebCrypto++.
WebCrypto++ is described by the following document:
http://webpki.org/papers/PKI/pki-webcrypto.pdf#page=2

Keys are imported, PIN-codes emulated and Key ACLs are not
available at all because this is what is missing (IMO) in
the platforms.

This is another and much more sophisticated use of WebCrypto++:
https://mobilepki.org/WebCryptoPlusPlus


FWIW, Microsoft is plotting with another proposal:
https://www.w3.org/2012/webcrypto/wiki/images/d/dd/CertAndKey_Management_Requirements_for_WebCrypto_microsoft.pdf
My analysis of it:

It *seems* that relying party code has direct API access (which *not* the case with plugins).

That is, it appears that *users* would need to decide (per site) if a site's *client code* is to be trusted or not.
IMO, issuers like banks would probably not accept such an arrangement.

OTOH, I may have gotten it all wrong due to the limited documentation :-)

Regards,
Anders

>
> Regards, Jaroslav
>
>
> On Mon, Nov 17, 2014 at 7:53 PM, Anders Rundgren <[hidden email] <mailto:[hidden email]>> wrote:
>
>     https://mobilepki.org/WCPPSignatureDemo
>
>     Primary features;
>     - No installation of signature plugins, the code is supplied as a part of the RP web.
>     - No relying party direct access to keys, postMessage
>
>     Limitations:
>     - Not possible to use with existing smart cards
>     - Requires substantial updates of platforms
>
>     This is an early version that requires Chrome or Firefox beta.
>
>     Anders
>
>     ------------------------------------------------------------------------------
>     Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>     from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>     with Interactivity, Sharing, Native Excel Exports, App Integration & more
>     Get technology previously reserved for billion-dollar corporations, FREE
>     http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>     _______________________________________________
>     Opensc-devel mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

XML DSig added. Re: Web-Signatures using WebCrypto++

Anders Rundgren-2
In reply to this post by Anders Rundgren-2
Now XML DSig is also working.
It was nice verifying my belief that it would be very easy generating
XML DSig in javacript indeed was true :-)


On 2014-11-17 19:53, Anders Rundgren wrote:

> https://mobilepki.org/WCPPSignatureDemo
>
> Primary features;
> - No installation of signature plugins, the code is supplied as a part of the RP web.
> - No relying party direct access to keys, postMessage
>
> Limitations:
> - Not possible to use with existing smart cards
> - Requires substantial updates of platforms
>
> This is an early version that requires Chrome or Firefox beta.
>
> Anders
>


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

JOSE Signatures added. Re: XML DSig added. Re: Web-Signatures using WebCrypto++

Anders Rundgren-2
The IETF and W3C claims that all parameter- and message- data MUST be Base64-encoded
in a credible signature scheme.  I guess this is the opposite to XML DSig which builds
on an extremely elaborate (and provably brittle) canonicalization scheme.

Personally I have found that if you do certain (IMO "reasonable") assumptions
about JSON parsers, you can get away from both Base64 and canonicalization.

Anyway, the demo now runs all three different approaches just in case :-)

Anders

On 2014-11-20 07:48, Anders Rundgren wrote:

> Now XML DSig is also working.
> It was nice verifying my belief that it would be very easy generating
> XML DSig in javacript indeed was true :-)
>
>
> On 2014-11-17 19:53, Anders Rundgren wrote:
>> https://mobilepki.org/WCPPSignatureDemo
>>
>> Primary features;
>> - No installation of signature plugins, the code is supplied as a part of the RP web.
>> - No relying party direct access to keys, postMessage
>>
>> Limitations:
>> - Not possible to use with existing smart cards
>> - Requires substantial updates of platforms
>>
>> This is an early version that requires Chrome or Firefox beta.
>>
>> Anders
>>
>


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel