Andi Gutmans Predicts The connection between Hope and Web innovation
Jan 07

Gears Future APIs: Crypto API

Gears, Google, Tech with tags: Add comments

As soon as you build richer and heavier applications that have any data or logic on the client, you get into the world of security. Ajax security is a hot topic. On the one hand, the game hasn’t changed at all:

Don’t trust the client!

But we see XSS, CSRF, and other tactics being used to do bad things. With the Gears Database component, we have to think about how safe that data is. Although data on a local machine is a bad thing, we have seen people using encrypted partitions to give some level of security. What if we could have a layer of Crypto in Gears itself? This would mean that a Web developer could use Crypto anywhere in their Web application.

Dojo Offline put encryption on top of Gears. In Dojo SQL you can use a magic ENCRYPT() function in your SQL string and it will be grabbed out and encrypted for you.

“Under the covers Dojo SQL’s cryptography is powered by 256-bit AES,
using the passphrase you provide to derive the key. Specifically, we use
the JavaScript AES implementation given here if you would like to study
how it works; special thanks to Chris Veness for contributing the AES
encryption code to Dojo.”

There are some JavaScript based AES libraries such as ecmaScrypt but the performance tends to be a touch slow. This problem is going away in the future as we see ActionMonkey come alive, as well as other trace based JIT compilers for JavaScript. This is still in future land though, so what about now.

There are some big questions when you really think about what a Gears Crypto API should be:

  • How low level should it be? Just a wrapper on something like openssl?
  • Should we just put encryption into the existing APIs?
  • What are we truly trying to solve here?

In general, when you aren’t sure, you end up getting low level APIs and you sit and wait for developers to built on top of it. This is one area where I would like to see a higher level API. In my experience, Crypto APIs are always too complex and in your face. Often you don’t want to choose a million options. You want to say “Erm, can you just encrypt this really well?”.

Would you like to see a crypto API that you could just use? If so, what would you actually like to see!

Other Future APIs

Disclaimer: This is me rambling about APIs and tools that I would love to see in Gears, or the Open Web as a whole. Do you have ideas for cool Gears that make the Web better? Let us know!.

2 Responses to “Gears Future APIs: Crypto API”

  1. richard Says:

    Clearly, data on a local machine is a bad thing. However, I would add that to some extend even in their encrypted forms, unfortunately…In fact as long as the cryptographic operations are processed within the memory of a non-trustworthy device (i.e: the device your using to read this post), there’s plenty of room for desktop attacks. Ideally the API should rely on portable tamper-proof devices (like smartcards) and also provide authentication and repudiation functionalities. How does that fit into Gears and Ajax ? I don’t have the answer. My 2cents would be that the API should at least leverage industry-proven technologies otherwise it would take only few weeks for hackers to blow it away.

  2. replicahandbags Says:

    thanks for your share.

Leave a Reply

Spam is a pain, I am sorry to have to do this to you, but can you answer the question below?

Q: Type in the word 'ajax'