Web Crypto: Support PBKDF2 algorithm for crypto.subtle.importKey

Issue #9259365 • Assigned to Steve B.


Robert E.
Oct 8, 2016
This issue is public.
Found in
  • Microsoft Edge
Standard affected
Web Cryptography API

Found in build #
Reported by 8 people

Sign in to watch or report this issue.

Steps to reproduce

crypto.subtle.importKey('raw', data, 'PBKDF2', false, ['deriveKey', 'deriveBits']) and crypto.subtle.importKey('raw', data, { name: 'PBKDF2' }, false, ['deriveKey', 'deriveBits']) throw an error.

For Web Crypto to be usable in practice, a lot of use cases rely on protecting keys with a user-defined passphrase. Without this, we can not make our platform work with Microsoft Edge.


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Brad E.”

      Changed Assigned To to “Venkat K.”

    • Note that it is not too complicated to implement PBKDF2 through HMAC-SHA1 which Edge does support in Web Crypto. I’ve done so for the Easy Passwords extension: https://github.com/palant/easypasswords/blob/1137960674442554810e0884e873250b90183071/lib/crypto.js#L23. However, this code is unusable because deriving with 100,000 iterations takes 15 seconds for me. Firefox and Chrome with their support for PBKDF2 do it in less than 0.2 seconds. Meaning - no Easy Passwords on Edge for now.

    • Microsoft Edge Team

      Changed Title from “Support PBKDF2 algorithm for crypto.subtle.importKey” to “Web Crypto: Support PBKDF2 algorithm for crypto.subtle.importKey”

      Changed Assigned To from “Venkat K.” to “Steve B.”

    • Both Chrome and Firefox support PBKDF2 with HMAC-SHA256. Edge needs to fill the API gap if it wants to compete and gain market share.

    • Yes, according to https://bugzilla.mozilla.org/show_bug.cgi?id=1238277 PBKDF with HMAC-SHA256 is also supported as of Firefox 47, originally Firefox was only exposing HMAC-SHA1.

    • Chrome and FF suports all deriveKey algorithms. When will Edge implement that algorithm? Do you have in your roadmap?

    • Any update here?

    • Still waiting on an update.

    • Any update on this? This is quite a critical miss in subtle crypto api and MS needs to support this ASAP!

    • Microsoft once again shows why they are so insignificant in the browser market space. No willingness to implement new features or fix bugs.

      For those reading this: just stop worrying about Microsoft browsers and redirect users to modern, safe webbrowsers such as Firefox and Chrome.

    You need to sign in to your Microsoft account to add a comment.

    Sign in