Francisco Corella, Founder & CTO, Pomcor. The use of cryptography in web applications has been limited by the problem of where to store keys on the client side. Keys have been stored in files accessed by Java applets, smart cards, USB dongles, Microsoft Information Cards, Microsoft Virtual Smart Cards, etc. But such key storage solutions cannot be broadly deployed because they require hardware, software, or specific browsers or platforms that are not generally available to all web users.

However, new solutions are being made possible by web technologies which have been recently standardized or are still experimental, including HTML5 localStorage, the IndexedDB API, the Web Cryptography API, the Web Authentication API, and the Service Worker API. In particular, the Service Worker API is a crucial emerging technology that enables the provisioning of cryptographic credentials using only web technology: it enables the JavaScript front-end of a credential issuance application to generate and store a key pair within the browser, then register a service worker that takes care of presenting the credential without involvement of the issuance application’s back-end. The talk will review these technologies, explain how they can be combined to implement several key storage solutions, and compare their security postures to those of traditional key storage methods.

As they mature, these new web technologies will enable developers to incorporate cryptographic functionality into web applications without limiting those applications to specific browsers or platforms, or requiring special hardware or software. Such functionality may include user authentication, privilege escalation, remote identity proofing, end-to-end encryption for web mail, and new methods for securing online payments.

Advanced Technology Track