Class window.crypto

by Douglas Stebila – 2009/08/12

This document describes one proposed additions to Javascript to enable application-level cryptography in Javascript: an interface to the TLS keying material exporter, standardized as RFC 5705.

This functionality allows an application to safely derive ("export") additional keying material from the master secret generated by TLS. By exposing this functionality to an application, the application can perform cryptographic operations that are bound to the underlying TLS channel.

For example, a client could establish an encrypted TLS channel with a server without using client certificates, then later perform a cryptographic protocol at the application layer to perform secure password authentication. By using TLS keying material exporters, the application can bind the password authentication to the underlying TLS channel. This means that the client can detect a man-in-the-middle or phishing attack at the application layer: if there was a man-in-the-middle attacker who had set up separate TLS channels with the client and the server and relayed the traffic between them, the exported keying material would be different and the client and the real server would be able to detect this. Note that this works even if the client mistakenly accepted the certificate it was presented with when it should not have (such as in a phishing attack).

This function only works when the page loaded into the window uses HTTPS with TLS v1.0 or higher; otherwise, it returns null. Although loading a page may result in multiple requests issued, possibly over different TLS channels, this function uses the TLS channel for the main page loaded into the window, not any subrequests.

An implementation exists for Mozilla Firefox with the patch in Bugzilla bug #508184.

The following example returns a string containing 40 bytes generated from the label "EXPERIMENTAL test".