Offline security HTML 5 application

Question

I am working for a webdevelopment company and have been put in charge to secure apps or any other content when the app is not connected to the internet, that means standard login protocols over HTTPS don't apply.

The company I work for profiles itself in making application for 'on the road' with bad internet connections. For reasons everyone can understand is that the users must be able to 'lock' the application and be able to unlock as well. Preferably with the password they use to login when they are online (they get a secure cookie which authenticates them when online with the webserver).

Now I need someone way to check the password without letting a hacker easily look into a websql/indexdb/local storage and just find it there. Storing it as a simple hash is too easily hacked.

I thought of storing it salted but it would be just a matter of time before it is hacked, also thought of hashing part of the password (like last 4 characters) and a salt. That in case it does get rainbowed they only just unlock the application and not have the password.

I can't really seem to find good and/or standardized ways of securing offline HTML5 apps. But are there like best practices ?

Another question is the security of the data in the offline storage itself so that only the application can read it. I can come up with ways to make the data 'unreadable' but all the ways I can come up with to store records securely I can also come up with a method to hack it. So any advise in this field is welcome as well.

Answer 1

Like ovanwijk suggested: I think only storing the (salted) hash is fair enough. For a user to unlock the screen he/she clear-types in the passphrase, it will be hashed and must match the storage hash. And that can be used to encrypt data. Luckily Stanford came up with a very nice crypto library for JavaScript: http://crypto.stanford.edu/sjcl

Sadly in the browser there's no secure place a website has access to but no one else. Think about it: if there was a place you could open up Debugging tools and inject some code to access it. Since JS security is a matter of research only there's no standard solution to this problem...