WebCrypto API Tracer

Cryptosense
August 7, 2014

A tracer is a simple but important tool for auditing crypto security that allows the analyst to see the calls made by an application to a crypto interface. This is especially useful if the application and/or the crypto provider are only available in binary or black-box form (e.g. an HSM), but the crypto API is known. Even if source code is available, a simple tracer can save a lot of time compared to instrumenting code or manually setting trace points.

Recently we've been involved reviewing the draft W3C Web Crypto API. As a result of this and as part of our ongoing work on web crypto, our intern Gregoire put together a Chrome extension that traces calls to the WebCrypto API. As you can see in the screenshots, a simple dropdown gives a list of all key objects in the session and their attributes.

key_view

You can get an output file in JSON format giving all the calls the web app made together with their parameters, or a list of the key objects.

cst-field-example
key-json-example

We've released the tracer under BSD license. You can get the code from the Cryptosense Github page.