- From: Web Cryptography Working Group Issue Tracker <sysbot+tracker@w3.org>
- Date: Mon, 30 Sep 2013 20:31:37 +0000
- To: public-webcrypto@w3.org
crypto-ISSUE-52 (DYNAMIC NONCE): Should the nonce, IV, and associated data be separated? [design for Web Crypto API]
http://www.w3.org/2012/webcrypto/track/issues/52
Raised by: Harry Halpin
On product: design for Web Crypto API
The API should be suggestive of the right use.
The encrypt interface seems to be missing some key parameters. For symmetric encryption I would suggest expanding it to
Promise<any> encrypt(AlgorithmIdentifier algorithm,
Key key,
Nonce nonce,
sequence<CryptoOperationData> associatedData);
sequence<CryptoOperationData> cleartextData);
As is, the Nonce and associatedData arguments are missing. As a result,
in several modes the IV and associatedData are given as parameters to the
algorithms. I worry that this will confuse developers into thinking that
the IV and associatedData are set once when the key is initialized and
never changed again. But both, especially the nonce, will need to be
different for every message. At least if it is being passed in it would suggest to the developer that the nonce would be changed.
Similarly, AES-GCM decrypt will need to take as input the ciphertext *and*
associatedData. Would associatedData always be given as an algorithm
parameter? (Dan Boneh)
at least if it is being passed in it would suggest to the developer that the nonce would be changed.
http://lists.w3.org/Archives/Public/public-webcrypto/2013Sep/0055.html
Received on Monday, 30 September 2013 20:31:38 UTC