109 - Analysis of the W3C Web Crypto API Key Management Mechanism
The W3C is currently standardising an API for cryptography in web applications that will be implemented by all the major browser vendors. This is a major advance in web security: currently web applications have to perform their cryptography in javascript which creates a number of security problems. However designing such APIs is a far from trivial task: finding flaws in such APIs and then verifying their fixes has been a major subject for research in the INRIA PROSECCO team.
Harry Halpin, head of the W3C working group on the crypto API recently contacted the PROSECCO team to ask for an audit of the proposal, with special attention to the key management commands. This we will do by designing a small formal model and verifying it with our tools. This model may then be used to help generate the standard javascript test suite for the API. The W3C consider this work to be highly important for future security on the web (their letter of interest backs this up).
The intern who will carry out the work under the supervision of PROSECCO researchers should be comfortable with basic notions in cryptography and formal modelling.
Cryptography
Security APIs
Formal Modelling
Javascript