I'm trying to understand where the private keys are stored in the Persona system, and how they are protected.
Can anyone elaborate on where the crypto material is created, stored, and what is transferred?
Asked
Active
Viewed 782 times
2 Answers
2
Tom is right that once browsers have native support for Persona, they will be able to store keys in their keystore.
Currently, however, browsers using the JavaScript shim make use of localStorage to store the keys in a way that only the shim is able to read and write them: https://speakerdeck.com/fmarier/persona-in-your-browsers-killing-your-passwords?slide=87
The keys themselves are created client-side in the browser but making use of entropy coming from the login.persona.org server.
François Marier
- 229
- 2
- 3
1
A look at the specification shows that in the BrowserID implementation, private key handling is delegated to a browser-supplied Javascript API called navigator.id. So it is up to the browser to generate key pairs, and store them "as best as it can". Documentation is scarce, but it seems plausible that browsers use the same facilities as what they use for X.509 certificates, i.e. libnss for Firefox, and the cryptographic providers of the operating system Internet Explorer and Chrome. Private keys never escape the clutches of the browser (only public keys will travel to other machines).
Tom Leek
- 168,808
- 28
- 337
- 475
-
Are these cryptographic providers related to what the HTML element KeyGen uses? (Keygen seems to store a cert in DPAPI in Windows). I'm curious what would be the most secure solution. – makerofthings7 Mar 13 '13 at 14:39
-
It would make a lot of sense that `navigator.id.genKeyPair()` and the HTML `KeyGen` element are two entry points to the same facility. But I cannot vouch for what Microsoft developers chose to do in this specific case; they are known to occasionally make things slightly more tortuous and indirect than necessary. – Tom Leek Mar 13 '13 at 14:44