Using SubtleCrypto API for password check

juraj.masiar · March 29, 2020, 4:30pm

In my addon I want to implement two features.

First will be simple lock (with password) to prevent other users of the PC edit anything in the addon.
Second should allow user to encrypt his data using the same password (I will be implementing this later, but I want to be ready for it).

Use case is simple - user creates some master password that will be required to unlock UI.
Regarding implementation, my first thought was simply hash user password and store the hash in the storage. For example using the SubtleCrypto.digest().

However the more I read about security, the less confident I feel. This solution would allow malicious users of the PC access the hash and use brute-force or dictionary attack to get the original password, which is unacceptable.

So my second thought was to use SubtleCrypto.importKey() and then SubtleCrypto.deriveKey() , just like in the example code here.

In the example code, the following part creates CryptoKey:

await window.crypto.subtle.deriveKey(
{
    "name": "PBKDF2",
    salt: salt,
    "iterations": 100000,
    "hash": "SHA-256"
  },
  keyMaterial,
  { "name": "AES-GCM", "length": 256},
  true,
  [ "encrypt", "decrypt" ]
);

Now this looks much better because I see some salt and huge number of iterations, plus I can use this key to encrypt data and I can even store this CryptoKey object in storage.

Now the question is:

is this approach safe enough?
how do I verify user password against the stored CryptoKey???

freaktechnik · March 29, 2020, 4:37pm

You can also salt with the normal digest method. In the end, trying to defend against brute force from a hash stored on the local machine is a pointless endeavor as long as you don’t have access to encrypted storage provided by the platform (spoiler: you don’t have access to that). Even if you salt your hash, you’ll have to store the salt where you store the hash, as in locally. The difference between the two is primarily the key type, which in my opinion doesn’t really matter since you are both consumer and producer of the encrypted data, there is no negotiation or secret exchange etc.

juraj.masiar · March 31, 2020, 9:14am

Yes, good points. However the point of using PBKDF2 is making cracking password much harder. If you use 100,000 iterations then cracking password should be 100,000 times slower compared to simple hash + salt.

Anyway, after spending whole day studying this, I see that I’ve made some mistakes…
What I actually need is SubtleCrypto.deriveBits() which will give me ArrayBuffer - which I can store and compare easily.

Also I can’t reuse same hash for locking UI and locking data, since locking UI requires that I store the hash and compare it with what user enters BUT when locking data, I musn’t store the hash used to encrypt it .