Browser javascript: TLS sequence number authentication

personal_cloud

12/25/23, 10:13 PM

I am implementing TLS (or something like it perhaps) because the browser doesn't seem to provide a direct client-script interface to TLS. The browser provides a SubtleCrypto.encrypt() function that claims to do AES-GCM. However, the documentation for this function does not mention an input for RFC 5246/5116 AEAD Associated Data A which is authenticated but not encrypted.

Is there a way to use the existing SubtleCrypto.encrypt() function that includes the standard Associated Data A in a TLS-compatible way?

If not, then at minimum I would like to include the SN (TLS Sequence Number) somewhere, to prevent full-record replay attacks. Apart from TLS incompatibility, are there any potential drawbacks to simply adding the SN onto the session IV (which is an input to SubtleCrypto.encrypt()?)

TLS 1.2 definitely requires the SN in AEAD but maybe I don't care? (Does anyone still use TLS 1.2?)

The last time I implemented TLS 1.3, it had the SN in both the IV and AEAD Associated Data A. But AEAD may have been deprecated since then. Maybe that's why SubtleCrypto.encrypt() doesn't have the AEAD Associated Data A input? Surely the SN doesn't need to be included twice?

0 + 2

implementation

authenticated-encryption

Maarten Bodewes

12/27/23, 1:03 AM

Why would SubtleCrypto support TLS at all? That's for application level encryption, for whatever that's worth. And yes, it is a crappy interface. Not sure why you would implement TLS in JavaScript either, how are you going to perform the trust verification without certificate store? That's the whole problem with SubtleCrypto. Although it is supposedly subtle, it entirely forgot about the key management it seems.

Maarten Bodewes

12/27/23, 2:08 AM

Oh, it seems to be available, try this: https://developer.mozilla.org/en-US/docs/Web/API/AesGcmParams

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Browser javascript: TLS sequence number authentication

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.