Comments on: How does Weave use Cryptography?

By: Why should you encrypt user data? « Binary Sunrise

Why should you encrypt user data? « Binary Sunrise — Tue, 02 Aug 2011 23:34:49 +0000

[...] of the things I like most about Firefox Sync is that all my browsing data is encrypted before anything leaves my computer. This wasn’t easy to do, there is a ton of engineering [...]

By: Delicious Bookmarks for December 13th from 18:47 to 21:50 « Lâmôlabs

Delicious Bookmarks for December 13th from 18:47 to 21:50 « Lâmôlabs — Tue, 14 Dec 2010 03:02:19 +0000

[...] How does Weave use Cryptography? « Binary Sunrise – December 13th ( tags: firefox sync api encryption weave how article explanation bookmarks ) [...]

By: Marcus Wolschon

Marcus Wolschon — Tue, 09 Nov 2010 06:51:00 +0000

I’m trying to write a plugin for DolplinHD (a browser for android) to support Firefox 4 Sync (version 3) but am struggling with the crypto in Java. I could not find my way around the C++ -source of Firefox for Android (have the code here).

Somehow I never end up with a valid RSA-key in step 4.

my step 3 is:
private static SecretKeySpec passwordToSymmetricKey(final char[] password, byte[] salt) throws Exception {
// http://stackoverflow.com/questions/992019/java-256bit-aes-encryption
SecretKeyFactory f = SecretKeyFactory.getInstance(“PBKDF2WithHmacSHA1″);
KeySpec ks = new PBEKeySpec(password, salt, 1024, 128);
SecretKey s = f.generateSecret(ks);
SecretKeySpec k = new SecretKeySpec(s.getEncoded(), “AES”);

return k;
}

my step 4 is:
SecretKeySpec symmetricKey = passwordToSymmetricKey(passphrase.toCharArray(), salt);
Cipher cipher = Cipher.getInstance(“AES/CBC/NoPadding”);
IvParameterSpec ips = new IvParameterSpec(iv);
cipher.init(Cipher.UNWRAP_MODE, symmetricKey, ips);
Key decryptedPrivKey = cipher.unwrap(privKey, “RSA”, Cipher.PRIVATE_KEY);

the problem:
“invalid key format” (trying to parse the key as PKCS8=ASN.1)

By: Xentience (Internal) Blog » Ars examines Chrome and Firefox bookmark sync protocols

Sat, 09 Oct 2010 06:33:58 +0000

[...] dry and beyond the scope of this article, but Mozilla’s Anant Narayanan has published a very clear and accessible overview that is worth a look if such things interest you. It’s not all that intimidating if you know [...]

By: Alexander Kriegisch

Alexander Kriegisch — Sat, 30 Jan 2010 14:23:55 +0000

I suggest that you or one of your peers create one or more illustrative pics explaining the above article more comprehensively. I know quite something about crypto, but many other uses do not. The illustration could be similar to a UML sequence diagram (http://en.wikipedia.org/wiki/Sequence_diagram) and show which steps happen on the client vs. server side. Who en-/decrypts what, where and when?

By: Le blog de Xavier … » Blog Archive » Quoi de neuf cette semaine …

Sat, 16 Jan 2010 09:34:37 +0000

[...] me semble avoir été traitée correctement (pour les curieux et les paranoïaques c’est ICI). Petit rappel : Weave permet de synchroniser bookmarks, historique, mots de passe et paramétrage [...]

By: Mozilla’s Weave and cryptography. « My Blog

Mozilla’s Weave and cryptography. « My Blog — Wed, 21 Oct 2009 13:04:37 +0000

[...] Unfortunately, I didn’t even try building the component due to lack of time. But before bringing my little exploration to a halt, I tried to find some more information about how their cryptography module is utilized by the Weave extension but I didn’t had any luck. However, after a month or so, a friend of mine passed me this wonderful link: How does Weave use Cryptography? [...]

By: Smörgåsbord » Weave: Browser bookmark & password syncing The Right Way

Smörgåsbord » Weave: Browser bookmark & password syncing The Right Way — Sun, 18 Oct 2009 11:46:09 +0000

[...] Details on Weave’s crypto [...]

By: voracity

voracity — Tue, 13 Oct 2009 10:11:00 +0000

I may have misunderstood but does that mean if you share your symmetric key (e.g. for bookmarks) with someone, you can’t revoke it later without regenerating the symmetric key for that component?

By: Anant

Anant — Mon, 12 Oct 2009 14:50:01 +0000

@Anonymous: We have considered providing support for custom user keys, though the focus right now is on a stable and reliable 1.0 release. As for how Weave interacts with “clear recent history”, your history might get synced but the entries will quickly be deleted on the next cycle (the action of clearing recent history would trigger a sync).

@Gerv: We’re definitely thinking about deriving the password from the passphrase. thunder has been working on a spec: it’s available at https://wiki.mozilla.org/Labs/Weave/WEP/100 (Comments welcome!)