이 문서는 아직 자원 봉사자들이 한국어로 번역하지 않았습니다. 참여해서 번역을 마치도록 도와 주세요!
English (US)의 문서도 읽어보세요.

This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

Draft
This page is not complete.

The Web Crypto API is an interface allowing a script to use cryptographic primitives in order to build systems using cryptography.

A fundamental feature of this API is to allow the manipulation and storage of private and secret keys without requiring the underlying bits of the key to be made available to JavaScript.

This interface allows a script to access the following primitives:

  • digest, the ability to compute a hash of an arbitrary block of data, in order to detect any change in it.
  • mac, the ability to compute a message authentication code.
  • sign and verify, the ability to digitally sign a document, and to verify a signature.
  • encrypt and decrypt, the ability to encode or decode a document.
  • import and export, the ability to import a key or export a key.
  • key generation, the ability to create a cryptographically secure key, or key pair, without the use of base key, but using the available entropy of the local system.
  • key wrapping and unwrapping, the ability to transmit, and to receive, a key from a third party, encoded using another key, without exposing the underlying key to JavaScript.
  • random, the ability to generate cryptographically sound pseudo-random numbers.

Web Crypto API doesn't solve all cryptographic problems a Web site or an application may encounter:

  • It doesn't relax the same-origin security model of the browser, like cases where keys are issued by centralized entities used by several Web sites.
  • It doesn't interact with dedicated hardware, like smart cards, USB dongles, or randomness generators.

Warning!

  • The mere use of cryptography doesn't make your system secure. Security is a process that constantly evaluates the risks a system incurs in its context of use. The context and the risks experienced evolve over time.
  • When dealing with security, the whole system must be considered. In the case of the Web Crypto API, Web developers shouldn't consider only the security of the script, but the security of the connection to the server, because using Web Crypto over HTTP is not secure. The overall security can't be stronger than the security of the weakest part of the overall system.

Interfaces

Some browsers implemented an interface called Crypto without having it well defined or being cryptographically sound. In order to avoid confusion, methods and properties of this interface have been removed from browsers implementing the Web Crypto API, and all Web Crypto API methods are available on a new interface: SubtleCrypto. The Crypto.subtle property gives access to an object implementing it.

Use cases

The Web Crypto API can be used:

  • to verify that data has not been tampered with by a third-party. Even if the data is stored in the clear, the storage of a signature, generated from a password, allows the people knowing the password to know that it is genuine.

Specifications

Specification Status Comment
Web Cryptography API Recommendation Initial definition

Browser compatibility

Crypto

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidEdge MobileFirefox for AndroidOpera for AndroidiOS SafariSamsung Internet
Basic supportChrome Full support 11Edge Full support 12Firefox Full support 26IE Full support 11Opera Full support 15Safari Full support 6.1WebView Android Full support YesChrome Android Full support 18Edge Mobile Full support 12Firefox Android Full support 26Opera Android Full support 14Safari iOS Full support 6.1Samsung Internet Android Full support Yes
subtle
Experimental
Chrome Full support 37Edge Full support 12Firefox Full support 34
Full support 34
No support 32 — 34
Disabled
Disabled From version 32 until version 34 (exclusive): this feature is behind the dom.webcrypto.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE Partial support 11Opera Full support 24Safari Full support 10.1
Full support 10.1
Full support 7
Prefixed
Prefixed Requires the vendor prefix: webkit
WebView Android Full support 37Chrome Android Full support 37Edge Mobile Full support 12Firefox Android Full support 34
Full support 34
No support 32 — 34
Disabled
Disabled From version 32 until version 34 (exclusive): this feature is behind the dom.webcrypto.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
Opera Android Full support 24Safari iOS Full support 10.1
Full support 10.1
Full support 7
Prefixed
Prefixed Requires the vendor prefix: webkit
Samsung Internet Android Full support Yes
getRandomValuesChrome Full support 11Edge Full support 12Firefox Full support 26IE Full support 11Opera Full support 15Safari Full support 4WebView Android Full support YesChrome Android Full support 18Edge Mobile Full support 12Firefox Android Full support 26Opera Android Full support 14Safari iOS Full support 4Samsung Internet Android Full support Yes

Legend

Full support  
Full support
Partial support  
Partial support
Experimental. Expect behavior to change in the future.
Experimental. Expect behavior to change in the future.
User must explicitly enable this feature.
User must explicitly enable this feature.
Requires a vendor prefix or different name for use.
Requires a vendor prefix or different name for use.

문서 태그 및 공헌자

최종 변경자: Hekelleh,