[Web] Encryption of saved value by app-specific key
koji-1009 opened this issue · 1 comments
koji-1009 commented
The current implementation is "secure" in the sense that when a user looks at LocalStorage, they cannot immediately identify the value. (I think that's enough for most cases.)
On the other hand, by reading the code in flutter_secure_storage, we can analyze the stored jwk. (Of course, it is hard work.)
To improve this analysis difficulty, I propose to obfuscate the stored jwk using an app-specific key.
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/wrapKey
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/unwrapKey
How about adding this option to WebOptions
?
koji-1009 commented
The wrapping key can be generated by the following snippet.
async function main() {
const iv = new Uint8Array(12);
window.crypto.getRandomValues(iv);
const key = await window.crypto.subtle.generateKey(
{
name: "AES-GCM",
length: 256,
iv: iv,
},
true,
["wrapKey", "unwrapKey"]
);
const jsonWebKeyBuffer = await window.crypto.subtle.exportKey("raw", key);
const jsonWebKey = new Uint8Array(jsonWebKeyBuffer);
console.log("---iv---");
const base64Iv = btoa(String.fromCharCode.apply(null, iv));
console.log(base64Iv);
console.log("---wrapping key---");
const wrappingKey = btoa(String.fromCharCode.apply(null, jsonWebKey));
console.log(wrappingKey);
}
main();