QUESTION: Doubt about Rxdb web crypto #6732
Comments
|
The encryption of So you could audit the code of the browsers themself, but this is not RxDB specific. |
|
We understood. But even if you're using browser libs you could be using it wrong. eg: window.myKey = await window.crypto.subtle.generateKey(
{
name: 'AES-GCM',
length: 256,
},
true, // extractable
['encrypt', 'decrypt'],
);
// ... and then use window.myKey to all other crypto operations.
// key will be saved in RAM and exposed in the window element. (wont be garbage collected)This is an absurd example, but it's a demonstration of what are we trying to check. Sorry if this channel is not the best place to be discussing this, we can continue wherever you want. Thanks in advance! |
|
Ah, I missunderstood your first question. |
Hi, we are developing a high security app with Ionic, and I was exploring solutions for our local-offline first database storage when I found this library.
I really liked it and suggested using it in our company, but our team had some doubts about the crypto storage.
Our app will utilize encryption, and we want to use
encryption-web-cryptosincecrypto-jshas some known vulnerabilities that we would like to avoid.Is there a white paper on how the encryption is implemented?
We'll like to audit the code somehow, to see if its provide the security level we need. We understand that this specific sub-library is private to be able to monetize it, but it might affect the core of our app.
Thanks in advance.
The text was updated successfully, but these errors were encountered: