Introducing Keyczar JS: Google Keyczar in Javascript

Posted by Evan Jones

The short story: We are releasing Keyczar JS, an implementation of Google Keyczar in JavaScript. We use this in Mitro’s password manager, and welcome feedback or contributions. We are currently running some benchmarks comparing the performance of a few different Keyczar implementations, and our implementation in a few different browsers. Follow us on Twitter for updates (or subscribe to this blog, if you are one of the few who still does that).

The long story: Using encryption correctly is not easy. If you configure things incorrectly, it may be completely useless (e.g. XML encryption can be bypassed using a padding oracle attack because they made the MAC optional). As a result, when we designed our secure password manager for groups and enterprises, we wanted a library designed by experts to make it harder for us to screw up. In the end, there are two worth considering: NaCl by Daniel J. Bernstein (aka DJB), or Keyczar by Google. We chose Keyczar for three reasons: First, Google uses it (in the Google Play Store Android app amongst other areas). Second, other people we trust recommend it. Finally, it uses algorithms that have been standardized by NIST and are widely used (AES, RSA, HMAC). While this does not mean that they are more secure than DJB’s algorithms used by NaCl (Curve25519, Salsa20, Poly1305), they are far more widely understood and studied.

Google provides Keyczar for Java, C++, and Python, and there are third-party implementations for Go and C#. Those are great server-side languages, but since Mitro’s user interface is a browser extension, we need it to work in Javascript. The Forge JavaScript crypto library includes the algorithms that Keyczar uses, so we thought it would be straightforward to implement Keyczar JS. However, there were three stumbling blocks that made it more complicated than expected:

Forge didn’t support RSA-OAEP, the encryption mode used by Keyczar, so we implemented it (we would love experts to review the implementation).
Keyczar keys are a set of JSON files in a directory. For use in JavaScript, we converted the directory to a JSON object, and wrote Java code to read and write this format. Sadly, Java Keyczar doesn’t make it easy to replace the key reading/writing code, so our implementation includes a few gross hacks. We are working on getting some changes upstream to make this easier.
Password-protected keys are supported by the C++ implementation, but not others, and the key format was not well documented. We had to reverse-engineer it by reading the source code. We have implemented support in JS and Java, and are working on getting these changes upstream.

If you are looking for an easy-to-use JavaScript encryption library, we hope you will give Keyczar JS a try. Let us know what you think.