From MozillaWiki
Jump to: navigation, search

DOMCrypt API Use Cases

Back to DOMCrypt Draft Spec:


  • Deuxdrop ( ), a project from Mozilla Labs would benefit from the DOMCrypt API.
  • Boot2Gecko apps will benefit greatly from the DOMCrypt API, as the only thing to consume is the DOM and all of the APIs we provide.
    • Example: Natasha and Boris would like to message one another privately via a web application. The server is untrusted and all message data that Natasha sends to the server should be encrypted so only Boris can read it after downloading. A server compromise will net the server's attacker only blobs of useless data. This web application will use the Public Key API:*

Example Code:

var publicKey = messagingApp.getPublicKey("boris");

var plainText = "Hey, wanna grab a root beer with me after work?";, publicKey, function callback(aCipherMessage) {
  // Asynchronous crypto API - the plainText is encrypted and the CipherMessage object is returned to this callback function
  // aCipherMessage is a JS object literal: 
  //   { content: <ENCRYPTED, BASE64 Encoded String>, 
  //     pubKey: <PUBLICKEY used to encrypt the a symmetric key>, 
  //     wrappedKey: <SYMMETRIC KEY wrapped with the recipient's public key>,
  //     iv: <Initialization Vector> 
  //   }
  messagingApp.sendMessage(aCipherMessage, {from: 'natasha', to: 'boris'});

Symmetric Crypto via Diffie-Hellman Key Exchange

  • TBD
  // This API is under development


SHA 256 hashes are handy for storing passwords and generating checksums (among other uses)

Example code uses the hashing API, using the constructor window.crypto.hash

var hasher = new window.crypto.hash("RS256");
var myData = "1234567890abcdefghijklmnopqrstuwxyz";
var arrBufferView = new Int8Array(myData.length);

for (var i = 0; i < myData.length; i++) {
  arrBufferView[i] = myData.charCodeAt(i);


var hashed = hasher.finish();

// Another idea: generating a file checksum in conjunction with the FileAPI

New Ideas

  • Some ideas that have been mentioned via mailing lists, etc.

An API to make <keygen> easier

  • Jonas Sicking mentioned this to me during a Mozilla All-hands DOMCrypt presentation

Signing APIs that would allow S. Korean web users to use any browser for online banking