Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove AES and SubtleCrypto from WASM #73858

Closed
8 tasks done
radical opened this issue Aug 12, 2022 · 12 comments · Fixed by #74165
Closed
8 tasks done

Remove AES and SubtleCrypto from WASM #73858

radical opened this issue Aug 12, 2022 · 12 comments · Fixed by #74165
Assignees
@eerhardt
Labels
arch-wasm WebAssembly architecture area-System.Security blocking-release
Milestone
7.0.0

Comments

@radical
Copy link
Member

radical commented Aug 12, 2022
edited by eerhardt
Loading

We've concluded that using the SharedArrayBuffer approach via a worker is not yielding the end-to-end experience or quality necessary to release this integration. Details and commentary on #72810 show some specific challenges that emerged:

  1. Blazor uses their own runtime initialization path and the crypto initialization call is not included in that path (or public)
    • This was addressable
  2. Blazor's publish targets limit what files end up in the publish output history
    • This was addressable
  3. Chromium is soon going to start limiting SharedArrayBuffer to be available only for cross-origin isolated sites. This will take effect as of Chromium v106.
  4. A deadlock that was discovered

These challenges lead to discussions about how often the managed implementations apply vs. the SubtleCrypto implementations. When we laid out the plan to rely on SubtleCrypto through SharedArrayBuffer, we understood this would enable us to use SubtleCrypto in ~90% of scenarios. The plan was to only fall back to managed implementations "on browsers which do not support SharedArrayBuffer. However, with the recognition that the default end-to-end experience disallows use of SharedArrayBuffer broadly, that changed the picture dramatically. We now find ourselves in the situation where 90% or more of scenarios will be relying on the managed implementations, and customers desiring the native implementations must consider tradeoffs for other behavior changes that will occur in their applications. That's not an acceptable outcome.

With these findings and realizations, we're dialing back what we'll be able to support, and we will not rely on a SharedArrayBuffer bridge to invoke async SubtleCrypto APIs from synchronous .NET code. Instead, the supported algorithms will be exclusively supported via managed code and scoped to algorithms without known side channel leaks of the key. Per the original design document:

The implementations of our in-box managed algorithms will be faithful to the appropriate standards. However, we will not pursue FIPS 140-2 or any other certification for them. Our in-box managed algorithm implementations are not intended to be free of side channels.

Here's the net result of the changes to what will be supported.

API .NET 6 .NET 7 - Planned .NET 7 - Actual
MD5 Not Supported Not supported Not supported
SHA1 Managed SubtleCrypto (managed fallback) Managed
SHA256 Managed SubtleCrypto (managed fallback) Managed
SHA384 Managed SubtleCrypto (managed fallback) Managed
SHA512 Managed SubtleCrypto (managed fallback) Managed
HMACMD5 Not supported Not supported Not supported
HMACSHA1 Not supported SubtleCrypto (managed fallback) Managed
HMACSHA256 Not supported SubtleCrypto (managed fallback) Managed
HMACSHA384 Not supported SubtleCrypto (managed fallback) Managed
HMACSHA512 Not supported SubtleCrypto (managed fallback) Managed
AES-CBC (key sizes 128 + 256) Not supported SubtleCrypto (managed fallback) Not supported
PBKDF2 (via Rfc2898DeriveBytes) Not supported SubtleCrypto (managed fallback) Managed
HKDF Not supported SubtleCrypto (managed fallback) Managed
Asymmetric Not supported Not supported Not supported
Certificates Not supported Not supported Not supported

We do not have plans to try this integration with SubtleCrypto again. Instead, for customers needing native implementations or unsupported algorithms such as AES, we advise they use JavaScript interop to invoke SubtleCrypto directly. That approach will allow the application to be written such that the call can be made in an asynchronous context.

Tasks

  • Remove the worker from WasmAppBuilder
  • Remove the call from startup.ts
  • Remove the DLLImports
  • Remove the C# code that is calling this
  • Remove the special js-module-crypto in AssetBehaviours typescrypt
  • Remove js-module-crypto handling in the SDK (replace it with js-module-threads would be useful)
  • Remove managed AES implementation
  • Remove the subtlecrypto run of the tests ([wasm] Misc tests related fixes #73884)

cc @pavelsavara @maraf @lambdageek @eerhardt
@radical radical added arch-wasm WebAssembly architecture area-VM-meta-mono labels Aug 12, 2022
@ghost
Copy link

ghost commented Aug 12, 2022

Tagging subscribers to 'arch-wasm': @lewing
See info in area-owners.md if you want to be subscribed.

Issue Details
  • Remove the worker from WasmAppBuilder
  • Remove the call from startup.ts
  • Remove the DLLImports
  • Remove the C# code that is calling this
  • Remove the special behavior type

cc @pavelsavara @maraf @lambdageek @eerhardt

Author: radical
Assignees: -
Labels:

arch-wasm, area-VM-meta-mono
Milestone: -

@ghost ghost added the untriaged New issue has not been triaged by the area owner label Aug 12, 2022
@radical radical added blocking-release and removed untriaged New issue has not been triaged by the area owner labels Aug 12, 2022
@radical radical added this to the 7.0.0 milestone Aug 12, 2022
@eerhardt eerhardt self-assigned this Aug 12, 2022
@vcsjones
Copy link
Member

No rush but.. can someone explain a bit what exactly the intention is here? We found a way to use subtlecrypto without SharedArrayBuffer?

@jeffhandley jeffhandley changed the title [wasm] Tracking issue for removing crypto worker Remove AES and SubtleCrypto from WASM Aug 13, 2022
@jeffhandley
Copy link
Member

jeffhandley commented Aug 13, 2022
edited
Loading

@vcsjones I've updated the issue title and description to capture what we found we need to do. At a high level, we found the SharedArrayBuffer bridge to SubtleCrypto was not yielding the end-to-end experience we had relied on being able to achieve.

@vcsjones
Copy link
Member

vcsjones commented Aug 13, 2022
edited
Loading

@jeffhandley is this specific to AES, or is HMAC / PBKDF2 included as well?

Never mind I can't read. It's spelled out nicely in the table.

@vcsjones
Copy link
Member

I am curious why AES specifically, when it was my understanding that HMAC and PBKDF were also using the SharedArrayBuffer.

@pavelsavara
Copy link
Member

No rush but.. can someone explain a bit what exactly the intention is here? We found a way to use subtlecrypto without SharedArrayBuffer?

There is new interop with JavaScript based on [JSImportAttribute]. It could be used to wrap subtlecrypto's asynchronous API. Applications with requirements to use certified crypto could find a way how to call it asynchronously.

That integration could be independent Nuget package and doesn't have to be in the runtime code. It could also wrap asymmetric algorithms.

@jeffhandley
Copy link
Member

I am curious why AES specifically, when it was my understanding that HMAC and PBKDF were also using the SharedArrayBuffer.

Thanks for calling that out, @vcsjones. I've edited the description again to be clearer that what remains supported is now only supported via managed implementations, with that scope being limited to algorithms without known side-channel leaks of keys.

@jeffhandley jeffhandley mentioned this issue Aug 13, 2022
Closed
24 tasks
@SteveSandersonMS SteveSandersonMS mentioned this issue Aug 15, 2022
Closed
@ghost
Copy link

ghost commented Aug 16, 2022

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

We've concluded that using the SharedArrayBuffer approach via a worker is not yielding the end-to-end experience or quality necessary to release this integration. Details and commentary on #72810 show some specific challenges that emerged:

  1. Blazor uses their own runtime initialization path and the crypto initialization call is not included in that path (or public)
    • This was addressable
  2. Blazor's publish targets limit what files end up in the publish output history
    • This was addressable
  3. Chromium is soon going to start limiting SharedArrayBuffer to be available only for cross-origin isolated sites. This will take effect as of Chromium v106.
  4. A deadlock that was discovered

These challenges lead to discussions about how often the managed implementations apply vs. the SubtleCrypto implementations. When we laid out the plan to rely on SubtleCrypto through SharedArrayBuffer, we understood this would enable us to use SubtleCrypto in ~90% of scenarios. The plan was to only fall back to managed implementations "on browsers which do not support SharedArrayBuffer. However, with the recognition that the default end-to-end experience disallows use of SharedArrayBuffer broadly, that changed the picture dramatically. We now find ourselves in the situation where 90% or more of scenarios will be relying on the managed implementations, and customers desiring the native implementations must consider tradeoffs for other behavior changes that will occur in their applications. That's not an acceptable outcome.

With these findings and realizations, we're dialing back what we'll be able to support, and we will not rely on a SharedArrayBuffer bridge to invoke async SubtleCrypto APIs from synchronous .NET code. Instead, the supported algorithms will be exclusively supported via managed code and scoped to algorithms without known side channel leaks of the key. Per the original design document:

The implementations of our in-box managed algorithms will be faithful to the appropriate standards. However, we will not pursue FIPS 140-2 or any other certification for them. Our in-box managed algorithm implementations are not intended to be free of side channels.

Here's the net result of the changes to what will be supported.

API .NET 6 .NET 7 - Planned .NET 7 - Actual
MD5 Not Supported Not supported Not supported
SHA1 Managed SubtleCrypto (managed fallback) Managed
SHA256 Managed SubtleCrypto (managed fallback) Managed
SHA384 Managed SubtleCrypto (managed fallback) Managed
SHA512 Managed SubtleCrypto (managed fallback) Managed
HMACMD5 Not supported Not supported Not supported
HMACSHA1 Not supported SubtleCrypto (managed fallback) Managed
HMACSHA256 Not supported SubtleCrypto (managed fallback) Managed
HMACSHA384 Not supported SubtleCrypto (managed fallback) Managed
HMACSHA512 Not supported SubtleCrypto (managed fallback) Managed
AES-CBC (key sizes 128 + 256) Not supported SubtleCrypto (managed fallback) Not supported
PBKDF2 (via Rfc2898DeriveBytes) Not supported SubtleCrypto (managed fallback) Managed
HKDF Not supported SubtleCrypto (managed fallback) Managed
Asymmetric Not supported Not supported Not supported
Certificates Not supported Not supported Not supported

We do not have plans to try this integration with SubtleCrypto again. Instead, for customers needing native implementations or unsupported algorithms such as AES, we advise they use JavaScript interop to invoke SubtleCrypto directly. That approach will allow the application to be written such that the call can be made in an asynchronous context.

Tasks

  • Remove the worker from WasmAppBuilder
  • Remove the call from startup.ts
  • Remove the DLLImports
  • Remove the C# code that is calling this
  • Remove the special js-module-crypto in AssetBehaviours typescrypt
  • Remove js-module-crypto handling in the SDK (replace it with js-module-threads would be useful)
  • Remove managed AES implementation
  • Remove the subtlecrypto run of the tests ([wasm] Misc tests related fixes #73884)

cc @pavelsavara @maraf @lambdageek @eerhardt

Author: radical
Assignees: eerhardt
Labels:

arch-wasm, area-System.Security, blocking-release
Milestone: 7.0.0

@vcsjones vcsjones mentioned this issue Aug 17, 2022
Closed
@radical radical mentioned this issue Aug 17, 2022
Closed
10 tasks
@eerhardt eerhardt mentioned this issue Aug 18, 2022
Merged
7 tasks
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Aug 18, 2022
@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Aug 19, 2022
eerhardt added a commit that referenced this issue Aug 19, 2022
@eerhardt
Remove AES and SubtleCrypto from WASM (#74165)
4f7a096 
* Revert 6a02d5d

* Revert relevant parts of 4222e69 and AES pieces of 8f75cc9

* Remove Subtle Crypto interop code

Fix #73858
eerhardt added a commit to eerhardt/runtime that referenced this issue Aug 19, 2022
@eerhardt
Remove AES and SubtleCrypto from WASM (dotnet#74165)
b3a2a99 
* Revert 6a02d5d

* Revert relevant parts of 4222e69 and AES pieces of 8f75cc9

* Remove Subtle Crypto interop code

Fix dotnet#73858
@eerhardt
Copy link
Member

Re-opening to backport to 7.0

@eerhardt eerhardt reopened this Aug 19, 2022
@eerhardt eerhardt mentioned this issue Aug 19, 2022
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Aug 19, 2022
@eerhardt eerhardt mentioned this issue Aug 19, 2022
Closed
carlossanlop pushed a commit that referenced this issue Aug 20, 2022
@eerhardt
Remove AES and SubtleCrypto from WASM (#74165) (#74246)
e897e88 
* Revert 6a02d5d

* Revert relevant parts of 4222e69 and AES pieces of 8f75cc9

* Remove Subtle Crypto interop code

Fix #73858
@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Aug 20, 2022
eerhardt added a commit to dotnet/sdk that referenced this issue Aug 22, 2022
@eerhardt
Remove js-module-crypto handling in the SDK
2015c96 
Contributes to dotnet/runtime#73858
jkoritzinsky pushed a commit to dotnet/sdk that referenced this issue Aug 22, 2022
@eerhardt @jkoritzinsky
Remove js-module-crypto handling in the SDK
2d19ab8 
Contributes to dotnet/runtime#73858
@lewing
Copy link
Member

lewing commented Aug 24, 2022

@eerhardt are we done here now?

@lewing lewing closed this as completed Aug 24, 2022
@eerhardt
Copy link
Member

Yes, the last task:

Remove js-module-crypto handling in the SDK was completed this morning when the new dotnet/runtime made its way into dotnet/sdk.

@lewing
Copy link
Member

lewing commented Aug 24, 2022

thanks again for all the help

@eerhardt eerhardt mentioned this issue Aug 30, 2022
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Sep 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@eerhardt eerhardt

Labels
arch-wasm WebAssembly architecture area-System.Security blocking-release
Projects
None yet
Milestone
7.0.0
Development

Successfully merging a pull request may close this issue.

Remove AES and SubtleCrypto from WASM eerhardt/runtime
6 participants
@radical @lewing @pavelsavara @vcsjones @jeffhandley @eerhardt