Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SubtleCrypto.deriveBits() with PBKDF2 and output length > 2048 bits #1671

Closed
juanelas opened this issue May 21, 2020 · 4 comments · Fixed by #5529
Closed

SubtleCrypto.deriveBits() with PBKDF2 and output length > 2048 bits #1671

juanelas opened this issue May 21, 2020 · 4 comments · Fixed by #5529
Assignees
@sideshowbarker
Labels
Content:WebAPI Web API docs

Comments

@juanelas
Copy link

Summary
What is the problem?
SubtleCrypto.deriveBits() with PBKDF2:

  • Length argument must be a multiple of 8. This is congruent with the RFC but should be documented
  • Length argument does not accept an input > 256 bytes. This constraint is not defined in the original PBKDF2 and should be considered to be removed.

Steps To Reproduce (STR)
How can we reproduce the problem?
Just run the following html in firefox:

<html>
<head><title>pbkdf2 - Firefox</title></head>
<body>
  <script>
    (async () => {
      const password = new ArrayBuffer() // empty password
      const passwordKey = await crypto.subtle.importKey('raw', password, 'PBKDF2', false, ['deriveBits'])
      const params = { // pbkdf2 params
        name: 'PBKDF2',
        hash: 'SHA-256',
        salt: new ArrayBuffer(),  // empty salt
        iterations: 1
      }
      crypto.subtle.deriveBits(params, passwordKey, 8 * 64).then(
        derivedKey => console.log(derivedKey), // no error since Lenght is a multiple of 8 and Length <= 256 bytes
        err => console.log("ERROR: can't derive more than 256 bytes (2048 bits)",err)
      )
      crypto.subtle.deriveBits(params, passwordKey, 8 * 384).then(
        derivedKey => console.log(derivedKey),
        err => console.log("ERROR: can't derive more than 256 bytes (2048 bits)",err) // error since Lenght > 256 bytes
      )
    })()
  </script>
</body>
</html>

Actual behavior
crypto.subtle.deriveBits(params, passwordKey, 8 * 384) produces error since 384 > 256

Expected behavior
To just derive 384 bytes (3072 bits)

Additional context
Sometimes you need an arbitrary output length for the PBKDF2 function, such as when using it to compute scrypt that you need to output p * 128 * r (with r usually 8 and p between 1 and 16).
@atopal atopal transferred this issue from mdn/kuma May 25, 2020
@chrisdavidmills chrisdavidmills transferred this issue from mdn/sprints Jan 24, 2021
@Gu7z
Copy link

Gu7z commented May 28, 2021
edited

Any updates? 👀 @chrisdavidmills

@sideshowbarker
Copy link
Collaborator

@twiss, The example code in the issue description seems to confirm that the assertions in the issue description are true — but can you please confirm? I mean specifically the following:

SubtleCrypto.deriveBits() with PBKDF2:

  • Length argument must be a multiple of 8. This is congruent with the RFC but should be documented

If that is in fact a requirement that implementations are required to enforce, should it be specified — or at last mentioned — in the WebCrypto spec itself? Or is it instead in fact the case that that requirement is normatively defined in RFC 2898, and so the WebCrypto spec should not try to also normatively (re)define it?

  • Length argument does not accept an input > 256 bytes. This constraint is not defined in the original PBKDF2 and should be considered to be removed.

Can you confirm that Length argument does not accept an input > 256 bytes” requirement is in fact not an actual requirement in any of the relevant specifications?

@twiss
Copy link
Contributor

twiss commented May 31, 2021

Hey 👋

If that is in fact a requirement that implementations are required to enforce, should it be specified — or at last mentioned — in the WebCrypto spec itself? Or is it instead in fact the case that that requirement is normatively defined in RFC 2898, and so the WebCrypto spec should not try to also normatively (re)define it?

Yeah, this is required here: https://w3c.github.io/webcrypto/#pbkdf2-operations

Can you confirm that Length argument does not accept an input > 256 bytes” requirement is in fact not an actual requirement in any of the relevant specifications?

This is indeed not a requirement, and Chrome and Safari allow this.

However, I can't actually find this requirement mentioned on MDN - I think this issue was meant to be a bug report in Firefox? So I assume this is a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1469482.

@sideshowbarker sideshowbarker self-assigned this Jun 1, 2021
sideshowbarker added a commit that referenced this issue Jun 1, 2021
@sideshowbarker
Document that SubtleCrypto: deriveBits() length must be multiple of 8
f9f4ee6 
Fixes #1671
@sideshowbarker sideshowbarker mentioned this issue Jun 1, 2021
Merged
@sideshowbarker
Copy link
Collaborator

I’ve opened #5529 with a fix that documents the requirements for the length parameter.

@juanelas, @Gu7z — since per #1671 (comment) throwing for input > 256 bytes is not conformant with the spec requirements, if Firefox is throwing in that case, then the appropriate place to raise an issue for getting that (browser-specific) problem documented is in the https://github.com/mdn/browser-compat-data/issues issue tracker.

@Gu7z Gu7z mentioned this issue Jun 28, 2021
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@sideshowbarker sideshowbarker

Labels
Content:WebAPI Web API docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Document that SubtleCrypto: deriveBits() length must be multiple of 8 mdn/content
5 participants
@chrisdavidmills @sideshowbarker @twiss @juanelas @Gu7z