Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use native API for AES #314

Closed
totaam opened this issue Jul 10, 2024 · 5 comments
Closed

use native API for AES #314

totaam opened this issue Jul 10, 2024 · 5 comments
Labels
enhancement New feature or request network

Comments

@totaam
Copy link
Collaborator

totaam commented Jul 10, 2024
edited
Loading

Switch from forge to W3C: SubtleCrypto interface

forge has problems and doesn't handle Uint8Array natively, which makes it slow - also it looks abandoned.
The new API supports BufferSource.

We can remove huge libraries and rely on the browser implemenation!
even Safari supports it: caniuse: SubtleCrypto

Some examples here: aes-cbc
@totaam totaam added enhancement New feature or request network labels Jul 10, 2024
@totaam
Copy link
Collaborator Author

totaam commented Sep 29, 2024

Some useful links:

totaam added a commit that referenced this issue Sep 29, 2024
@totaam
#314 use crypto.subtle for hmac authentication
c2e2977 
aes still needs doing.. fails with the ever so unhelpful 'OperationError'
totaam added a commit that referenced this issue Oct 1, 2024
@totaam
#314 add crypto test page
c7d2e63
@totaam totaam mentioned this issue Oct 1, 2024
Closed
totaam added a commit that referenced this issue Oct 1, 2024
@totaam
#314 also verify decryption of pre-defined message
a12cdf3
totaam added a commit that referenced this issue Oct 1, 2024
@totaam
#314 correct PKCS#7 padding is always at least one byte
9545a44
totaam added a commit that referenced this issue Oct 1, 2024
@totaam
#314 send key salt as raw bytes
1242ac9 
and require 'crypto.getRandomValues' rather than using an insecure fallback
totaam added a commit that referenced this issue Oct 1, 2024
@totaam
#314 test with 10000 iterations
4602cc2
totaam added a commit that referenced this issue Oct 1, 2024
@totaam
#314 decrypted packet data must be in a Uint8Array
113ae46
totaam added a commit that referenced this issue Oct 1, 2024
@totaam
#314 error handler was now missing 'proto_flags' var
7d13482
totaam added a commit that referenced this issue Oct 1, 2024
@totaam
#314 better key stretch iterations range
4b44b1e
totaam added a commit that referenced this issue Oct 2, 2024
@totaam
#314 more thorough roundtrip verification
7dff29a
totaam added a commit that referenced this issue Oct 2, 2024
@totaam
#314 cbc padding is only 128 bits
c24b97c
@totaam
Copy link
Collaborator Author

totaam commented Oct 2, 2024

The key (!) problem is that the xpra python code wrongly used 258 bits of padding with AES-CBC, which manifested itself half the time! See: Xpra-org/xpra#4372 (comment)

totaam added a commit that referenced this issue Oct 2, 2024
@totaam
#314 oops, no local 'params' var here
f7f92bd
totaam added a commit that referenced this issue Oct 2, 2024
@totaam
#314 simplify using 'encryption' namespace
8224918
totaam added a commit that referenced this issue Oct 3, 2024
@totaam
#314 use correct Uint8Array size, better error messages
be9797f
totaam added a commit that referenced this issue Oct 3, 2024
@totaam
#314 subtle.encrypt returns an ArrayBuffer, we want a Uint8Array..
4395971
totaam added a commit that referenced this issue Oct 3, 2024
@totaam
#314 doh: use the header data specified
bffd5c2 
not the current one, which may be different by then.
also some logging tweaks
totaam added a commit that referenced this issue Oct 3, 2024
@totaam
#314 simpler (and correct) padding calculation
e693298
@totaam
Copy link
Collaborator Author

totaam commented Oct 3, 2024

Now working for AES-CBC (which is the default mode).

The other modes need more work.

@totaam
Copy link
Collaborator Author

totaam commented Oct 5, 2024

As per the Xpra-org/xpra#4372 (comment), the browser's implementation of AES is inadequate for our use case.
What we really want is Web Crypto Streams instead - which is only at the draft stage 😞

So the options to make this work without making it completely unsafe are:

  • send new IV with each new encrypted packet - would make sense to use a counter for some of the bits rather than just random input, to avoid the birthday paradox: 3 common mistakes when implementing encryption : IV generation: It's always better to generate AES-GCM, AES-CTR and ChaCha20 nonces deterministically with a counter rather than randomly, or worse, hardcoded.
  • does this make any sense to use any other modes at all?

totaam added a commit that referenced this issue Oct 7, 2024
@totaam
#314 compatibility with xpra 6.2 AES
842fd3c 
tell the server that we can't handle stream mode, so that it will send a new iv with every encryption 'session'
totaam added a commit that referenced this issue Oct 7, 2024
@totaam
#314 handle iv packet prefix
ed0b9fc 
missed from 842fd3c which implies using a new iv for every packet
@totaam totaam mentioned this issue Oct 8, 2024
Open
@totaam
Copy link
Collaborator Author

totaam commented Oct 8, 2024

This will do for now.

It's likely that more updates will be needed for Xpra-org/xpra#4375

@totaam totaam closed this as completed Oct 8, 2024
@totaam totaam mentioned this issue Oct 11, 2024
Closed
totaam added a commit that referenced this issue Dec 31, 2024
@totaam
#314 better key stretch iterations range
3961c83
@totaam totaam mentioned this issue Feb 5, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request network
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@totaam