Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HTML5 Client Side Data Encryption - What are my options?

I am working on a EDIT: mobile web app which displays some sensitive information and requires a login which stores the members username and password in a HTML5 Session. The username and password are currently stored in an un-encrypted state for the reason that we need to use this username and password on each page load to access the clients remote web-service.

EDIT: After a security review our client raised the following concern:

"There is the potential that Session Storage information can get stored on disk (e.g. on a browser crash). For this reason no sensitive information should be stored unencrypted in session storage. User ID’s and session tokens can be stored since session timeouts are implemented however storing of passwords/PINs is not recommended."

What would be the best/most secure method of encrypting and decrypting sensitive data stored client-side?

Thanks!

like image 812
TGuimond Avatar asked May 12 '11 09:05

TGuimond


People also ask

Does client side need encryption?

If you're looking for the most secure, private way to send email or transmit data, client-side encryption is your best bet. Using client-side email encryption makes it less likely for your information to be intercepted by hostile third parties on the Internet.

Is html5 encrypted?

The HTML 5 library does not support encrypting locally stored data on the device. To continue reading about encryption, switch to a platform that supports it.

What is client side data encryption?

Client-side encryption is the cryptographic technique of encrypting data on the sender's side, before it is transmitted to a server such as a cloud storage service.


2 Answers

Hi instead of storing the username and password, can you not create some sort of "session" with the remote server and instead transmit an authentication token?

Storing a username and password anywhere in the client side gives me the shivers.

Perhaps of looking for ways of storing the username / password safely, look for ways of removing the need to store it at all.

However of course I'm saying this without knowing the full background... I'm guessing there is a good reason to need to store the username / password.

like image 185
Alex KeySmith Avatar answered Sep 19 '22 05:09

Alex KeySmith


For anyone stumbling upon this question, Stanford has a crypto project over at http://crypto.stanford.edu/sjcl/. I have not used it myself in production, but am busy investigating it and so far it looks promising. Hope this helps someone.

like image 40
Tash Pemhiwa Avatar answered Sep 21 '22 05:09

Tash Pemhiwa