[cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?

Alfonso De Gregorio alfonso.degregorio at gmail.com
Wed Mar 11 10:20:42 EDT 2015


On Wed, Mar 11, 2015 at 10:53 AM, Fabio Pietrosanti (naif) - lists
<lists at infosecurity.ch> wrote:
> Hi all,
>
> at GlobaLeaks we're undergoing implementation of client-side encryption
> with server-side storage of PGP Private keys.
>
> Obviously the hashing to be used for storing such PGP private keys has
> to be strong enough, with valuable key-stretching approach.
>
> We're now considering using Scrypt with some finely tuned parameters,
> but we've concern regarding it's performance in the browser as a JS
> implementation.
>
> PBKDF2 is available from WebCrypto API and, as far as i read and
> understand but i'm not that low-level-crypto expert, is used internally
> to scrypt.

Sure, scrypt uses PBKDF2 with HMAC-SHA-256 as its PRF of choice in the
state expansion and compression steps [1].

> Does anyone know of any scrypt implementation that try to leverage the
> WebCrypto API?

AFAICT, there is no such implementation yet. While PBKDF2 is included
in the WebCrypto API specifications, to date its support is pretty
limited. PBKDF2 works with Chrome Canary (Windows and OSX) and Opera
Developer (Windows); it also works with Firefox, but only with SHA-1
--- as such, it is not relevant for scrypt applications.

Until more browsers start supporting PBKDF2 with HMAC-SHA-256, you
might be better of reverting to a JavaScript library, to be plugged in
your scrypt implementation. I never took the chance to look at it, but
I heard that asmcrypto.js provides the fastest PBKDF2-HMAC-SHA-256
implementation in town [2].

Good luck.

[1] http://tools.ietf.org/id/draft-josefsson-scrypt-kdf-02.txt
[2] https://github.com/vibornoff/asmcrypto.js

-- Alfonso

tweets @secYOUre


More information about the cryptography mailing list