Dailydave mailing list archives
Re: entropicdata.com ?
From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi () aspectsecurity com>
Date: Wed, 20 May 2009 14:40:03 -0400
Secure, flexible, client-side key generation capability is already available in Firefox through the sort-of bizarre <keygen> tag [1]. I haven't researched the tag much but I'm sure it's a much better source of general entropy out of the box than Math.random(), despite the fact that that's not the intended use. Try it out locally: <html> <body> <form action="#" method="get"><keygen name="foo" keytype="RSA"/></form> <script> if ( ! /#/.test(document.location) ) { window.onload = function() { document.forms[0].submit(); }; } </script> </body> </html> In case your reader doesn't see the above HTML, see [2]. It would be trivial to write JavaScript to automatically submit the invisible form to a hidden iframe on your origin and read the key value from various iframe properties. This would make the generation seamless, except for the non-threatening dialog Firefox briefly pops up. If you don't like it, it may be possible to redress it; I haven't tried. Right now it's more of a novelty than anything else - maybe at worst a stop-gap for the FF segment of your users. However, I strongly agree that crypto functionality is needed on the client-side. Its presence in, say, a readily available JavaScript API could encourage naïve people to do naïve things, but my counterargument is that they're doing naïve things now, with badly written APIs, which is almost surely worse. - Arshan [1] https://developer.mozilla.org/En/HTML/HTML_Extensions/KEYGEN_Tag [2] http://i8jesus.com/stuff/keygen/keygen.html From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Dave Aitel Sent: Tuesday, May 19, 2009 7:44 PM To: dailydave () lists immunitysec com Subject: [Dailydave] entropicdata.com ? Lots of people are doing things in web services (AJAX, etc) that require real crypto. So they implement RSA/twofish/etc in Javascript and run that in the browser. But this requires a way to generate a key which requires some entropy. There's no "feed of random numbers" that I know of on the web that you can use to seed your crypto, probably because of cross site restrictions. But it seems like either google gears, HTML5, or one of the other new extensions should offer it as a built-in API. Likewise if they allowed you to get data from other sites (which the new Firefox does sometimes?) then you could set up a web service for people to use to get their entropic data from (over SSL of course :>). What else are people using for this? It seems to be a bit of a theme here at SyScan (re: David Thiel's RIA presentation). Is there an API in Silverlight/Flash/etc that lets you get entropy and then give it back to the browser context? -dave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- entropicdata.com ? Dave Aitel (May 19)
- Re: entropicdata.com ? kowsik (May 20)
- Re: entropicdata.com ? Jon Oberheide (May 20)
- Re: entropicdata.com ? Jim Manico (May 20)
- Re: entropicdata.com ? Michal Zalewski (May 20)
- Re: entropicdata.com ? Arshan Dabirsiaghi (May 20)
- Re: entropicdata.com ? Nate Lawson (May 22)
- Re: entropicdata.com ? Dave Aitel (May 26)
- Re: entropicdata.com ? Nate Lawson (May 27)
- Re: entropicdata.com ? Dave Aitel (May 26)