[Web] Encryption of saved value by app-specific key #726
Comments
|
The wrapping key can be generated by the following snippet. async function main() {
const iv = new Uint8Array(12);
window.crypto.getRandomValues(iv);
const key = await window.crypto.subtle.generateKey(
{
name: "AES-GCM",
length: 256,
iv: iv,
},
true,
["wrapKey", "unwrapKey"]
);
const jsonWebKeyBuffer = await window.crypto.subtle.exportKey("raw", key);
const jsonWebKey = new Uint8Array(jsonWebKeyBuffer);
console.log("---iv---");
const base64Iv = btoa(String.fromCharCode.apply(null, iv));
console.log(base64Iv);
console.log("---wrapping key---");
const wrappingKey = btoa(String.fromCharCode.apply(null, jsonWebKey));
console.log(wrappingKey);
}
main(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The current implementation is "secure" in the sense that when a user looks at LocalStorage, they cannot immediately identify the value. (I think that's enough for most cases.)
https://github.com/mogol/flutter_secure_storage/blob/v9.2.2/flutter_secure_storage_web/lib/flutter_secure_storage_web.dart#L104
On the other hand, by reading the code in flutter_secure_storage, we can analyze the stored jwk. (Of course, it is hard work.)
To improve this analysis difficulty, I propose to obfuscate the stored jwk using an app-specific key.
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/wrapKey
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/unwrapKey
How about adding this option to
WebOptions?The text was updated successfully, but these errors were encountered: