BrowserID Key Wrapping

From MozillaWiki
Jump to navigation Jump to search

When a user logs in to a web site directly, that web site has the user's password available to it, and it can use this password as a source of entropy for a cryptographic key. Once a web site uses BrowserID, that goes away. With BrowserID key wrapping, we're bringing this feature back. We're providing a way for web sites to get access to a cryptographic key based on the user's login.

API and Overall Behavior

A web site wants to have access to a securely stored cryptographic key bound to each of its users. That key should survive across multiple BrowserID logins, and be as stable as possible: if it is lost, the user's data that the site chooses to secure with this key will also be lost.

BrowserID does not store any data on behalf of the web site. Instead, it provides a wrapping/unwrapping API. The web site is expected to generate the user's key, wrap it via BrowserID, and store the wrapped key on its own servers.

It goes like this: 

 // web site logs the user in via BrowserID
 navigator.id.get(gotAssertion);
 
 function gotAssertion(assertion) {
   var key = generateKey();
 
   // wrap the key
   navigator.id.secret.wrap(assertion, key,
     function(wrappedKey) {
       // store the wrappedKey on the server
     },
     function(error) {});
 }

The key must be base64-encoded. The wrappedKey that is passed back is also base64-encoded. The plaintext is expected to be fairly short: mostly this is for wrapping other keys.

Internal API

Before this is exposed as a content API, BrowserID exposes secret wrapping as an internal API: 

 navigator.id.internal.secret.wrap(origin, assertion, plainKey, successCB, failureCB)
 navigator.id.internal.secret.unwrap(origin, assertion, wrappedKey, successCB, failureCB);

In this internal API, the origin has to be explicitly specified.

Architecture

BrowserID generates a new key for each email address it verifies. We call this the user key.

Browserid-userkeys.png

BrowserID wraps this user key with a password-key derived from the user's password. When the user changes their password, the user-key is unwrapped and rewrapped appropriately. If the user loses their password completely, in the current specification, the user-key is unrecoverable and may as well be deleted.


[diagram of wrapped keys]

Security Considerations

Further Work

Retrieved from "https://wiki.mozilla.org/index.php?title=BrowserID_Key_Wrapping&oldid=384350"