William Grasel PRO
Desenvolvedor Web, Google Developer Expert, Microsoft Most Valuable Professional, palestrante, consultor e coordenador do AngularSP.
const crypto = window.crypto || window.msCrypto; // for IE 11
crypto.getRandomValues(new Uint32Array(10));
const subtleCrypto = window.crypto.subtle;
subtleCrypto.decrypt(...);
subtleCrypto.deriveBits(...);
subtleCrypto.deriveKey(...);
subtleCrypto.digest(...);
subtleCrypto.encrypt(...);
subtleCrypto.exportKey(...);
subtleCrypto.generateKey(...);
subtleCrypto.importKey(...);
subtleCrypto.sign(...);
subtleCrypto.unwrapKey(...);
subtleCrypto.verify(...);
subtleCrypto.wrapKey(...);
window.crypto
.ItIsALowLevelAPI
.ItIsVeryEasyToMissUseIt
.IKnowWhatIamDoing
.encrypty(...)
> sha256sum ubuntu-mate-16.10-desktop-amd64.iso
c01b39c7a35ccc3b081a3e83d2c71fa9a767ebfeb45c69f08e17dfe3ef375a7b
SHA-256
"Lorem ipsum" (data)
0x8dsf8dwl2c0 (digest)
async function digestString(message) {
const encoder = new TextEncoder();
const data = encoder.encode(message);
const digestBuffer = await crypto.subtle.digest('SHA-256', data);
const decoder = new TextDecoder();
return decoder.decode(digestBuffer);
}
HMAC
"Lorem ipsum" (data)
0x8dsf8dwl2c0 (sign)
0x9s6mh7d8bew2 (key)
async function signData(dataBuffer, cryptoKey) {
const signBuffer = await crypto.subtle.sign(
"HMAC", cryptoKey, dataBuffer
);
return signBuffer;
}
async function verifyData(dataBuffer, cryptoKey, signBuffer) {
const bool = await crypto.subtle.verify(
"HMAC", cryptoKey, signBuffer, dataBuffer
);
return bool;
}
AES-GCM
"Lorem ipsum" (data)
0x8dsf8dwl2c0 (cipher)
0x9s6mh7d8bew2 (key)
0xd9v7fd773m2 (nonce)
async function encryptData(dataBuffer, cryptoKey) {
const nonce = crypto.getRandomValues(new Uint8Array(12));
const cipher = await crypto.subtle.encrypt(
{ name: "AES-GCM", iv: nonce },
cryptoKey,
dataBuffer
);
return { cipher, nonce }
}
async function decryptData(cipher, cryptoKey, nonce) {
const dataBuffer = await crypto.subtle.decrypt(
{ name: "AES-GCM", iv: nonce },
cryptoKey,
cipher
);
return dataBuffer;
}
PBKDF2
0x8dsf8dwl2c0 (week key)
0x8dsf8dwl2c0 (stronger key)
0x9s6mh7d8bew2 (salt)
50000 (interactions)
const encoder = new TextEncoder();
const encodedPass = encoder.encode(userPass);
const baseKey = await crypto.subtle.importKey(
'raw',
encodedPass,
'PBKDF2', // crypto algorithm
false, // cannot be reverted
['deriveKey'],
),
const salt = crypto.getRandomValues(new Uint8Array(8));
const cryptoKey = await crypto.subtle.deriveKey(
{
"name": "PBKDF2",
salt: salt,
"iterations": 100000,
"hash": "SHA-256"
},
baseKey,
{ "name": "AES-GCM", "length": 256 },
false, // cannot be reverted
[ "encrypt", "decrypt" ]
);
By William Grasel
Segurança e privacidade são requisitos essenciais de nosso tempo, e claro que muita gente usa esses fatores como desculpa para fazer aplicativos nativos, pois na Web não temos nenhuma outra proteção além do HTTPS, correto? ERRADO! A Web como plataforma tem se tornado cada vez mais madura, com novas API's que possibilitam novos casos de usos! Nessa palestra vamos ver como usar algoritmos avançados de criptografia e autenticação biométrica de forma nativa e segura na sua PWA!
Desenvolvedor Web, Google Developer Expert, Microsoft Most Valuable Professional, palestrante, consultor e coordenador do AngularSP.