Keygen tag in HTML5

SecurityHtmlSsl

Security Problem Overview

So I came across this new tag in HTML5, <keygen>. I can't quite figure out what it is for, how it is applied, and how it might affect browser behavior.

I understand that this tag is for form encryption, but what is the difference between <keygen> and having a SSL certificate for your domain. Also, what is the challenge attribute?

I'm not planning on using it as it is far from implemented in an acceptable range of browsers, but I am curious as to what EXACTLY this tag does. All I can find is vague cookie-cutter documentation with no real examples of usage.

Edit:

I have found a VERY informative document, here. This runs through both client-side and server-side implementation of the keygen tag.

I am still curious as to what the benefit of this over a domain SSL certificate would be.

Security Solutions

Solution 1 - Security

SSL is about "server identification" or "server AND client authentication (mutual authentication)".

In most cases only the server presents its server-certificate during the SSL handshake so that you could make sure that this really is the server you expect to connect to. In some cases the server also wants to verify that you really are the person you pretend to be. For this you need a client-certificate.

The <keygen> tag generates a public/private key pair and then creates a certificate request. This certificate request will be sent to a Certificate Authority (CA). The CA creates a certificate and sends it back to the browser. Now you are able to use this certificate for user authentication.

Solution 2 - Security

You're missing some history. keygen was first supported by Netscape when it was still a relevant browser. IE, OTOH, supported the same use cases through its ActiveX APIs. Opera and WebKit (or even KHTML), unwilling to reverse-engineer the entire Win32 API, reverse-engineered keygen instead.

It was specified in Web Forms 2.0 (which has now been merged into the HTML specification), in order to improve interoperability between the browsers that implemented it.

Since then, the IE team has reiterated their refusal to implement keygen, and the specification (in order to avoid turning into dry science fiction) has been changed to not require an actual implementation:

> Note: This specification does not > specify what key types user agents are > to support — it is possible for a user > agent to not support any key types at > all.

In short, this is not a new element, and unless you can ignore IE, it's probably not what you want.

Solution 3 - Security

If you're looking for "exactly" then I'd recommend reading the RFC.

The keygen element is for creating a key for authentication of the user while SSL is concerned about privacy of communication and the authentication of the server. Quoting from the RFC:

> This specification does not specify how the private key generated is to be used. It is expected that after receiving the SignedPublicKeyAndChallenge (SPKAC) structure, the server will generate a client certificate and offer it back to the user for download; this certificate, once downloaded and stored in the key store along with the private key, can then be used to authenticate to services that use TLS and certificate authentication.

Solution 4 - Security

Deprecated

> This feature has been removed from the Web standards. Though some > browsers may still support it, it is in the process of being dropped. > Avoid using it and update existing code if possible. Be aware that > this feature may cease to work at any time.

Source

Solution 5 - Security

The doc is useful to elaborate on what is the keygen element. Its requirement arises in WebID that maybe understood to be part of Semantic Web of Linked Data as seen at https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index-respec.html#creating-a-certificate 2.1.1

Solution 6 - Security

This might be useful for websites that provide services, where people need to pay for the service, like video on demand, or news website for professionals like Bloomberg. With this keys people can only watch the content in their computer and not in simultaneous computers! You decide how data is stored and processed. you can specify a .asp or .php file that will receive the variables and your file will store that key in the user profile. This way your users will not be able to log in from a different computer if you want. You may force them to check their email to authorize that new computer, just like steam does. Basically it allows to individualize service access, if your licensing model is per machine, like Operating System.

You can check the specs here: http://www.w3.org/TR/html-markup/keygen.html

Categories
Recommended Security Solutions
Recommended Html Solutions
Recommended Ssl Solutions

Previous Solution:

Reducing video size with same format and reducing frame size

VideoCompressionVideo ProcessingLossy Compression

Next Solution:

Update a column, all rows

Ruby on-Rails

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionCraigeView Question on Stackoverflow
Solution 1 - SecurityduddexView Answer on Stackoverflow
Solution 2 - SecurityMs2gerView Answer on Stackoverflow
Solution 3 - SecurityAndrewView Answer on Stackoverflow
Solution 4 - SecurityNeri BarakatView Answer on Stackoverflow
Solution 5 - SecurityChawathe Vipul SView Answer on Stackoverflow
Solution 6 - SecurityPaulo SantosView Answer on Stackoverflow