Menu
My clients wants to be able to work online and offline to manipulate data, typically create or retrieve products.
While online, he wants to uses web services and the server database, but when offline (network breakup or whatever), he wants the data to be persisted and encrypted in the localStorage.
I'm going for a javascript crypto lib, getting the password from the login page and using password derived key for the encryption passphrase. The key would be stored in a simple javascript var (the page is dynamic, so no page change).
What are your inputs on the matter and what solution would you preconise ? Any good javascript crypto lib ?
316
HTML5 introduced many storage APIs that let you store a large amount of data locally in your users' browsers. But the amount of space allocated for each app is, by default, restricted to a few megabytes. Google Chrome lets you ask for a larger storage quota, beyond the previous limit of just 5 MB.
HTML web storage provides two objects for storing data on the client: window.localStorage - stores data with no expiration date. window.sessionStorage - stores data for one session (data is lost when the browser tab is closed)
XSS attacks allow attackers to inject client-side scripts into Web pages viewed by other users. If someone injects their own JavaScript code into your website, they can retrieve all the data stored in the LocalStorage and send it anywhere. All sensitive data stored in LocalStorage can be stolen.
There are a number of useful features in localStorage, including the ability to store user information and to allow you to work offline as needed. As part of the web storage API in web browsers, localStorage works similarly to cookies.
The solutions is as you say ,to derive the key from the clients password. That way you never have to store it directly. This is the technique used by last pass, a password manager. The function most people use for this is PBKDF2. Storing the key in a simple var is not really insecure in that if someone can read that var, they could read the data your client is working on. Just make sure you clear the data when the client logs out
Thankfully, this library already does almost all of these things very well and was written by real honest to god cryptographers and not some web 2.0 guy who read Bruce Schneier's book and thought they knew all there is to know about crypto.
61
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
