Namespace: WvdS.System.Security.Cryptography.Providers
JavaScript Interop-basierter Krypto-Provider für Blazor WebAssembly. Kommuniziert über IJSRuntime mit openssl.wasm.
Der WasmCryptoProvider ermöglicht Post-Quantum Kryptographie in Blazor WebAssembly Anwendungen durch:
NativeCryptoProviderBlazor WebAssembly
│
▼
┌─────────────────┐
│ WasmCrypto- │
│ Provider │
│ (C#) │
└────────┬────────┘
│ IJSRuntime.InvokeAsync
▼
┌─────────────────┐
│ wvds-crypto.js │
│ (JavaScript) │
└────────┬────────┘
│
▼
┌─────────────────┐
│ openssl.wasm │
│ (WebAssembly) │
└─────────────────┘
| Eigenschaft | Typ | Beschreibung |
|---|---|---|
Name | string | "WASM (JS Interop)" |
IsAvailable | bool | true wenn initialisiert |
// Program.cs (Blazor WebAssembly) builder.Services.AddScoped<ICryptoProvider>(sp => new WasmCryptoProvider(sp.GetRequiredService<IJSRuntime>()));
@inject ICryptoProvider CryptoProvider @code { protected override async Task OnInitializedAsync() { await CryptoProvider.InitializeAsync(); if (CryptoProvider.IsAvailable) { var version = CryptoProvider.GetOpenSslVersion(); Console.WriteLine($"OpenSSL WASM: {version}"); } } }
In wwwroot/index.html:
<head> <!-- OpenSSL WASM Module --> <script src="_content/WvdS.Crypto/openssl.js"></script> <!-- WvdS Crypto Wrapper --> <script src="_content/WvdS.Crypto/wvds-crypto.js"></script> </head>
var (publicKey, privateKey) = await provider.GenerateMlDsaKeyPairAsync("ML-DSA-65");
byte[] data = Encoding.UTF8.GetBytes("Browser-signierte Daten"); byte[] signature = await provider.SignMlDsaAsync(data, privateKey);
bool isValid = await provider.VerifyMlDsaAsync(data, signature, publicKey);
var (publicKey, privateKey) = await provider.GenerateMlKemKeyPairAsync("ML-KEM-768");
var (sharedSecret, ciphertext) = await provider.EncapsulateAsync(recipientPublicKey);
byte[] sharedSecret = await provider.DecapsulateAsync(ciphertext, privateKey);
PBKDF2 über Web Crypto API.
byte[] salt = await provider.RandomBytesAsync(32); byte[] derivedKey = await provider.Pbkdf2Async( password: "UserPassword", salt: salt, iterations: 100000, outputLength: 32, hash: "SHA-256");
PBKDF2 mit PQ-verstärktem Salt.
byte[] key = await provider.Pbkdf2WithPqSaltAsync( password: "UserPassword", baseSalt: baseSalt, pqPublicKey: recipientPqPublicKey, iterations: 100000, outputLength: 32);
Memory-hard KDF via OpenSSL WASM.
byte[] key = await provider.Argon2idAsync( password: passwordBytes, salt: salt, outputLength: 32, iterations: 3, memoryKiB: 65536, parallelism: 4);
Für große Datenmengen mit Chunk-Verarbeitung.
byte[] key = await provider.RandomBytesAsync(32); // Verschlüsseln byte[] encrypted = await provider.EncryptChunkedAsync( plaintext, key, chunkSize: 65536); // 64 KB Chunks // Entschlüsseln byte[] decrypted = await provider.DecryptChunkedAsync(encrypted, key);
Kombiniert ML-KEM Key Exchange mit chunked Encryption.
// Verschlüsseln für Empfänger var (kemCiphertext, encryptedData) = await provider.EncryptStreamWithPqKeyAsync( plaintext, recipientPublicKey, chunkSize: 65536); // Entschlüsseln byte[] decrypted = await provider.DecryptStreamWithPqKeyAsync( kemCiphertext, encryptedData, privateKey);
byte[] prk = await provider.HkdfExtractAsync(salt, inputKeyMaterial);
byte[] okm = await provider.HkdfExpandAsync(prk, info, outputLength: 32);
Extract + Expand in einem Schritt.
byte[] key = await provider.HkdfDeriveKeyAsync( ikm: sharedSecret, length: 32, salt: optionalSalt, info: contextInfo);
Kombiniert klassisches und PQ Secret.
byte[] hybridKey = await provider.DeriveHybridKeyAsync( classicSecret: ecdhSecret, pqSecret: mlKemSecret, outputLength: 32);
Tls13KeyMaterial keys = await provider.DeriveTls13KeysAsync( sharedSecret, clientHello, serverHello); // Zugriff auf abgeleitete Secrets var clientKey = keys.ClientHandshakeTrafficSecret; var serverKey = keys.ServerHandshakeTrafficSecret;
Erstellt hybride Signatur aus klassischer Signatur und ML-DSA.
// Klassische Signatur erstellen (z.B. ECDSA) byte[] classicSig = CreateEcdsaSignature(data); // Hybrid-Signatur erstellen byte[] hybridSig = await provider.CreateHybridSignatureAsync( data, classicSig, mlDsaPrivateKey);
Kryptographisch sichere Zufallszahlen via Web Crypto API.
byte[] random = await provider.RandomBytesAsync(32);
byte[] certBytes = await provider.CreateEphemeralCertificateAsync( "CN=Browser Certificate", TimeSpan.FromHours(1), mlDsaPrivateKey);
byte[] signedCert = await provider.SignCertificateAsync(tbsCertificate, privateKey);
| Methode | Parameter | Rückgabe |
|---|---|---|
GenerateMlDsaKeyPairAsync | string algorithm | Task<(byte[], byte[])> |
SignMlDsaAsync | byte[] data, byte[] privateKey | Task<byte[]> |
VerifyMlDsaAsync | byte[] data, byte[] signature, byte[] publicKey | Task<bool> |
| Methode | Parameter | Rückgabe |
|---|---|---|
GenerateMlKemKeyPairAsync | string algorithm | Task<(byte[], byte[])> |
EncapsulateAsync | byte[] publicKey | Task<(byte[], byte[])> |
DecapsulateAsync | byte[] ciphertext, byte[] privateKey | Task<byte[]> |
| Methode | Parameter | Rückgabe |
|---|---|---|
Pbkdf2Async | string password, byte[] salt, int iterations, int outputLength, string hash | Task<byte[]> |
Pbkdf2WithPqSaltAsync | string password, byte[] baseSalt, byte[] pqPublicKey, int iterations, int outputLength | Task<byte[]> |
Argon2idAsync | byte[]/string password, byte[] salt, int outputLength, int iterations, int memoryKiB, int parallelism | Task<byte[]> |
| Methode | Parameter | Rückgabe |
|---|---|---|
HkdfExtractAsync | byte[] salt, byte[] ikm | Task<byte[]> |
HkdfExpandAsync | byte[] prk, byte[] info, int length | Task<byte[]> |
HkdfDeriveKeyAsync | byte[] ikm, int length, byte[]? salt, byte[]? info | Task<byte[]> |
DeriveHybridKeyAsync | byte[] classicSecret, byte[] pqSecret, int outputLength | Task<byte[]> |
| Methode | Parameter | Rückgabe |
|---|---|---|
EncryptChunkedAsync | byte[] plaintext, byte[] key, int chunkSize | Task<byte[]> |
DecryptChunkedAsync | byte[] ciphertext, byte[] key | Task<byte[]> |
EncryptStreamWithPqKeyAsync | byte[] plaintext, byte[] publicKey, int chunkSize | Task<(byte[], byte[])> |
DecryptStreamWithPqKeyAsync | byte[] kemCiphertext, byte[] encryptedData, byte[] privateKey | Task<byte[]> |
| Methode | Parameter | Rückgabe |
|---|---|---|
RandomBytesAsync | int length | Task<byte[]> |
CreateHybridSignatureAsync | byte[] data, byte[] classicSig, byte[] pqPrivKey | Task<byte[]> |
DeriveTls13KeysAsync | byte[] sharedSecret, byte[] clientHello, byte[] serverHello | Task<Tls13KeyMaterial> |
// Blazor Component @page "/crypto-demo" @inject ICryptoProvider CryptoProvider <h3>PQ Crypto Demo</h3> <p>Status: @_status</p> @code { private string _status = "Initializing..."; protected override async Task OnInitializedAsync() { try { await CryptoProvider.InitializeAsync(); // Key Exchange Demo var (alicePublic, alicePrivate) = await CryptoProvider.GenerateMlKemKeyPairAsync(); var (sharedSecret, ciphertext) = await CryptoProvider.EncapsulateAsync(alicePublic); var decapsulated = await CryptoProvider.DecapsulateAsync(ciphertext, alicePrivate); bool keysMatch = sharedSecret.SequenceEqual(decapsulated); // Signatur Demo var (sigPub, sigPriv) = await CryptoProvider.GenerateMlDsaKeyPairAsync(); byte[] message = Encoding.UTF8.GetBytes("Test Message"); byte[] signature = await CryptoProvider.SignMlDsaAsync(message, sigPriv); bool isValid = await CryptoProvider.VerifyMlDsaAsync(message, signature, sigPub); _status = $"Keys match: {keysMatch}, Signature valid: {isValid}"; } catch (Exception ex) { _status = $"Error: {ex.Message}"; } } }
openssl.wasm und wvds-crypto.js müssen korrekt geladen seinWolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional