Native JS Encryption

Robert Accettura robert at accettura.com
Fri Mar 18 10:09:04 PDT 2011


I'll prefix this by saying I'm not entirely certain if this should be
ECMA vs. HTML5 or dual track similar to the "Cryptographically strong
random numbers"[1] idea floating around.  I pitched the idea initially
via a blog post[2] recently which got a lot more positive feedback
than I expected.  I'll just summarize the more important bits here:

I'd like to propose native cryptography support utilizing a simplified
API for basic encryption/decryption.  Something along the lines of:
Crypto.AES.encrypt("foo bar", password);

Crypto.AES.decrypt(cryptString, password);

AES obviously being one example algorithm.  I'd expect AES to
eventually wane in popularity in favor of something new.  SHA-256 and
other hashing functions could be good as well.  SSL is great for
encrypting data in transit, but data in typically in transit for
seconds at most but stored on the client (cookies, dom storage) or
server for extended periods of time in plain text.  This would also
allow for serving some content encrypted from eavesdropping over http
(assuming a shared key is known by both client and server).
Encrypting data quickly on the client solves many problems.

This could be useful beyond just web browsers, node.js comes to mind.

While encryption algorithms could be implemented in JS (and have
been), doing so natively provides a boost as modern hardware is
accelerated for certain algorithms such as AES NI[3] as well as
removes the need for a library.  As client side applications get more
and more complicated and handle more and more data, especially in the
mobile world where CPU and power consumption are key this would make a
big difference.

Cite:
1.  http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-February/thread.html#30241
2.  http://robert.accettura.com/blog/2011/03/03/wanted-native-js-encryption/
3.  http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni/

-- 
Robert Accettura
robert at accettura.com


More information about the es-discuss mailing list