Web Crypto: Support PBKDF2 algorithm for crypto.subtle.importKey

Issue #9259365 • Assigned to Divya G.


Robert E.
Oct 8, 2016
This issue is public.
Found in
  • Microsoft Edge
Standard affected
Web Cryptography API

Found in build #
Reported by 12 people

Sign in to watch or report this issue.

Steps to reproduce

crypto.subtle.importKey('raw', data, 'PBKDF2', false, ['deriveKey', 'deriveBits']) and crypto.subtle.importKey('raw', data, { name: 'PBKDF2' }, false, ['deriveKey', 'deriveBits']) throw an error.

For Web Crypto to be usable in practice, a lot of use cases rely on protecting keys with a user-defined passphrase. Without this, we can not make our platform work with Microsoft Edge.


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Brad E.”

      Changed Assigned To to “Venkat K.”

    • Note that it is not too complicated to implement PBKDF2 through HMAC-SHA1 which Edge does support in Web Crypto. I’ve done so for the Easy Passwords extension: https://github.com/palant/easypasswords/blob/1137960674442554810e0884e873250b90183071/lib/crypto.js#L23. However, this code is unusable because deriving with 100,000 iterations takes 15 seconds for me. Firefox and Chrome with their support for PBKDF2 do it in less than 0.2 seconds. Meaning - no Easy Passwords on Edge for now.

    • Microsoft Edge Team

      Changed Title from “Support PBKDF2 algorithm for crypto.subtle.importKey” to “Web Crypto: Support PBKDF2 algorithm for crypto.subtle.importKey”

      Changed Assigned To from “Venkat K.” to “Steve B.”

    • Both Chrome and Firefox support PBKDF2 with HMAC-SHA256. Edge needs to fill the API gap if it wants to compete and gain market share.

    • Yes, according to https://bugzilla.mozilla.org/show_bug.cgi?id=1238277 PBKDF with HMAC-SHA256 is also supported as of Firefox 47, originally Firefox was only exposing HMAC-SHA1.

    • Chrome and FF suports all deriveKey algorithms. When will Edge implement that algorithm? Do you have in your roadmap?

    • Any update here?

    • Still waiting on an update.

    • Any update on this? This is quite a critical miss in subtle crypto api and MS needs to support this ASAP!

    • Microsoft once again shows why they are so insignificant in the browser market space. No willingness to implement new features or fix bugs.

      For those reading this: just stop worrying about Microsoft browsers and redirect users to modern, safe webbrowsers such as Firefox and Chrome.

    • Any update on this?

    • Microsoft Edge Team

      Changed Assigned To from “Steve B.” to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Divya G.”

    • Any idea of when it will be available?

    • @Microsoft Edge Team: We really do need some sort of response here because from the outside it looks like you guys are passing the buck internally.

      Bottom line, we cannot have a situation where the browser is unable to produce a secure remote password / proof of secret using the PBKDF2 algorithm. The functionality gap excludes Microsoft browsers from use with highly secure web apps.

      Please respond, I’d prefer not to escalate this matter in an upcoming call.

    You need to sign in to your Microsoft account to add a comment.

    Sign in