Web Cryptography API – Wikipedia

World Wide Web Consortium cryptography standard
The Web Cryptography API is the World Wide Web Consortium ’ south ( W3C ) recommendation for a subordinate interface that would increase the security of web applications by allowing them to perform cryptanalytic functions without having to access naked keying material. [ 1 ] This agnostic API would perform basic cryptanalytic operations, such as hash, signature genesis and verification and encoding angstrom well as decoding from within a web application. [ 2 ]

description [edit ]

On 26 January 2017, the W3C released its recommendation for a Web Cryptography API [ 3 ] that could perform basic cryptanalytic operations in web applications. This agnostic API would utilize JavaScript to perform operations that would increase the security of data substitute within web applications. The API would provide a low-level interface to create and/or wield public keys and private keys for hash, digital signature generation and verification and encoding and decoding for use with world wide web applications. The Web Cryptography API could be used for a wide crop of uses, including :

  • Providing authentication for users and services
  • Electronic signing of documents or code
  • Protecting the integrity and confidentiality of communication and digital data exchange

Because the Web Cryptography API is agnostic in nature, it can be used on any chopine. It would provide a common fixed of interfaces that would permit web applications and progressive world wide web applications to conduct cryptanalytic functions without the necessitate to access raw keying corporeal. This would be done with the aid of the SubtleCrypto interface, which defines a group of methods to perform the above cryptanalytic operations. Additional interfaces within the Web Cryptography API would allow for key genesis, key derivation and key meaning and export. [ 1 ]

sight for using the Web Cryptography API [edit ]

The W3C ’ s specification for the Web Cryptography API places focus on the common functionality and features that presently exist between platform-specific and standardize cryptanalytic APIs versus those that are known to just a few implementations. The group ’ s recommendation for the use of the Web Cryptography API does not dictate that a compulsory set of algorithm must be implemented. This is because of the awareness that cryptanalytic implementations will vary amongst conforming exploiter agents because of government regulations, local policies, security practices and intellectual property concerns. There are many types of existing web applications that the Web Cryptography API would be well suited for use with. [ 1 ]

Multi-factor authentication [edit ]

today multi-factor authentication is considered one of the most dependable methods for verifying the identity of a drug user of a web application, such as on-line bank. many vane applications presently depend on this authentication method to protect both the exploiter and the exploiter agent. With the Web Cryptography API, a world wide web application would have the ability to provide authentication from within itself rather of having to rely on transport-layer authentication to secret keying corporeal to authenticate exploiter access. This march would provide a richer experience for the drug user. The Web Cryptography API would allow the application to locate desirable node keys that were previously created by the user agent or had been pre-provisioned by the vane application. The application would be able to give the exploiter agent the ability to either generate a new key or re-use an existing key in the event the user does not have a key already associated with their account. By binding this process to the Transport Layer Security that the drug user is authenticating through, the multi-factor authentication serve can be additionally strengthened by the derivation of a key that is based on the underlie transport. [ 1 ] [ 2 ]

Protected document central [edit ]

The API can be used to protect sensitive or confidential documents from unauthorized wake from within a world wide web application, even if they have been previously securely received. The web application would use the Web Cryptography API to encrypt the document with a hidden samara and then wrap it with populace keys that have been associated with users who are authorized to view the document. Upon navigating to the web application, the authorized exploiter would receive the document that had been encrypted and would be instructed to use their private key to begin the unwrap march that would allow them to decrypt and view the document. [ 2 ]

Cloud storage [edit ]

many businesses and individuals trust on cloud storage. For protection, outside overhaul put up might want their network application to give users the ability to protect their confidential documents before uploading their documents or other data. The Web Cryptography API would allow users to :

  • Choose to select a private or secret key
  • Derive an encryption key from their key if they wish
  • Encrypt their document/data
  • Upload their encrypted document/data using the service provider’s existing APIs[2]

electronic document sign [edit ]

The ability to electronically sign documents save time, enhances the security of important documents and can serve as legal proof of a exploiter ’ s acceptance of a document. many network applications choose to accept electronic signatures rather of requiring written signatures. With the Web Cryptography API, a exploiter would be prompted to choose a key that could be generated or pre-provisioned specifically for the network application. The key could then be used during the sign operation .

Protecting data integrity [edit ]

Web applications often cache data locally, which puts the datum at gamble for compromise if an offline attack were to occur. The Web Cryptography API permits the network application to use a public keystone deployed from within itself to verify the integrity of the data hoard. [ 2 ]

plug message [edit ]

The Web Cryptography API can enhance the security of messaging for consumption in off-the-record ( OTR ) and other types of message-signing schemes through the use of key agreement. The message transmitter and mean recipient role would negotiate shared encoding and message authentication code ( MAC ) keys to encrypt and decrypt messages to prevent unauthorized access. [ 2 ]

JavaScript Object Signing and Encryption ( JOSE ) [edit ]

The Web Cryptography API can be used by network applications to interact with message formats and structures that are defined under JOSE Working Group. [ 4 ] The application can read and import JSON Web Signature ( JWK ) winder, validate messages that have been protected through electronic sign or MAC keys and decode JWE messages .

conformity to the Web Cryptography API [edit ]

The W3C recommends that vendors avoid using vendor-specific proprietary extensions with specifications for the Web Cryptography API. This is because it could reduce the interoperability of the API and break up the exploiter base since not all users would be able to access the particular contented. It is recommended that when a vendor-specific annex can not be avoided, the seller should prefix it with vendor-specific strings to prevent clashes with future generations of the API ’ second specifications .

References [edit ]

reservoir : https://coinselected.com
Category : crypto topics

Leave a Reply

Your email address will not be published.