Update (March 5, 2025):
This post, and the presentation at ICMC 2017,
show how to use a browser as a credential wallet for same-device
presentation. Section 12.4 in
Chapter 12 of a
book I’m writing with
Sukhi Chuhan and Veronica Wojnas shows how it can also be used for
cross-device presentation, and how a WebView component of a native app
can be combined with a native code component to further support
proximity presentation over BlueTooth or NFC.
This blog post is a companion to a presentation made at the
2017 International Cryptographic Module Conference
and refers to the presentation
slides, revised after the
conference. Karen Lewison is a co-author of the presentation and of
this blog post.
Slide 2: Key storage in web clients
Most Web applications today use TLS, thus relying on cryptography to
provide a secure channel between client and server, and to
authenticate the server to the client by means of a cryptographic
credential, consisting of a TLS server certificate and its
associated private key. But other uses of cryptography by Web
applications are still rare. Client authentication still relies
primarily on traditional username-and-password, one-time passwords,
proof of possession of a mobile phone, biometrics, or combinations of
two or more of such authentication factors. Web payments still rely
on a credit card number being considered a secret. Encrypted
messaging is on the rise, but is not Web-based.
A major obstacle to broader use of cryptography by Web applications is
the problem of where to store cryptographic keys on the client side.
Continue reading “Storing Cryptographic Keys in Persistent Browser Storage”