The W3C is working on a cryptography API for JavaScript, which will enable JavaScript to perform “basic cryptographic operations in web applications, such as hashing, signature generation and verification, and encryption and decryption. Additionally, it describes an API for applications to generate and/or manage the keying material necessary to perform these operations. Uses for this API range from user or service authentication, document or code signing, and the confidentiality and integrity of communications.”

Despite JavaScript cryptography being “considered harmful”, the United States Department of Homeland Security and BBN Technologies have been working on PolyCrypt, which aims to be a “polyfill” for the WebCrypto API. They realize the security issues with pure JavaScript cryptography (which the WebCrypto API should help with), and so the primary usecase for PolyCrypt is just for developers to get a feel of the API before browsers actually implement it.

PolyCrypt contains most or all of the functions in the current WebCrypto draft, except under the window.polycrypt namespace instead of window.crypto. This is because some browsers like Chrome already have window.crypto despite only containing the random number generation method.

Just like the browser crypto API will be, PolyCrypt is asynchronous, taking advantage of Web Workers to perform expensive computations. PolyCrpypt also lives in another origin via an invisible iframe on the page, communicating with the main page via postMessage, which is an interesting decision. You can find out more about how it works on their detailed documentation page.

As web applications become more complex, we will need good cryptography in the browser, as secure as we can make it. The WebCrypto API promises to solve some of our problems, and PolyCrypt is a good way to get started and get familiar with the API while browsers dillydally.

You can check out the PolyCrypt demo/test page, the code on Github, and the WebCrypto API specification draft from the W3C. This is yet another API to watch in 2013!