javascript - HTML5 offline authentication -


I'm looking for advice / criticism how best to use an HTML5 which is largely offline Is used.

This application uses a combination of indexed, local and session storage so that the data can be stored so that it can be used offline, the data / pages are served through HTTPS.

Its goal is to reduce the risk of data being viewed when the tablet / PC is lost / stolen

Currently this application allows users to encrypt / password Stanford uses the JavaScript crypto library and then saves it in local storage if the user can successfully authenticate to the server if the application goes offline then use The subject has to be certified 'locally' against the encrypted user / password at the local location.

In addition, an unencrypted user / password is stored in session storage, if the user successfully authenticates the server, it is used so that the application can periodically attempt to restore contact with the server. And could re-authenticate the user 'randomly' without the need to re-enter its credentials.

I know posts / discussions about the duplication of client side encryption and and .nczonline.net / blog / 2010/04/13 / towards-more-secure-client-side-data-storage / + Others Although I am unsure about how this scenario applies in this scenario.

I am looking for the criticism of the approach of data as per the need of data storage offline. If there is a better way, then please expand

thanks

authentication versus secure storage

I will start with the problem of big design: You start working with this problem as if it is about authentication , where (potentially bad) the user Your application needs to be proven that it is a legitimate user but actually you have storage Or are facing, as the runtime environment, which is in the hands of your sensitive information, which is working with your application, the attacker if the computing device is stolen. In the case of a Javascript application, offline data and code analysis is more comfortable in case of some binary code.

For example, if I would like to attack your application, then I used to first store the session (cookies? Just use the browser interface to see them) and see if I can get the username and password there. is. If I do not follow the code that is used to decrypt the password in local storage (possibly using the JavaScript debugger) The way you describe your application, it seems that the function provided by the user Without a key, it can decrypt it. Maybe I can just change the user's local authentication by changing something like (authenticated user ()) to if if (true) .

What you really need to do is encrypt all sensitive, local data with a key that is not stored on the client side. For example, when the user accesses your application, ask for the decryption key each time, use that key to decrypt data stored locally (and encrypt every new one you store) And throw the key after a certain time of inactivity . Or whenever you access your application and retrieve the decryption key from there and throw it after a certain time of inactivity, then can authenticate the user against the server.

At this time a javascript environment choice actually stops your cause because you can not force the runtime environment to throw the decryption key when you want it to be very difficult with the C applications As you have to work carefully to swap the RAM on HDD. Depending on the information that works with your application, it may be enough to ask the browser to close down after the user has completed and assumes that the attacker is not sufficiently motivated, so that the browser The RAM can be changed. / P>

Saving login data locally

Because it is the most sensitive information to work with you, user login information should never be stored on the customer. Instead, certify once against the server and recover its authentication token for future interaction. It will basically be similar to a session cookie and after some time the expiration (if it does not end at all, it is good as a password).

Comments

Post a Comment

Popular posts from this blog

Java - Error: no suitable method found for add(int, java.lang.String) -

I'm in the middle of homework work and I'm stuck. At this point in my code, I think that I should have a GUI window that opens and allows me to type "inserted text number". Notice is not going anywhere but at this point, If I pass through the problem then it will be in a linked list. I am getting two of the same error for the lines. Add (index, element); And I can not seem to get past it, there is no suitable method for the error "add (int, java. string string)". Code is below, please advise. To clarify - this will not be a method error because it is a linked list. There should not be any way involved. import java.awt. *; Import java.awt.event. *; Import javax.swing. *; Import java.util. *; Import java.util.Scanner; Import java.util.LinkedList; Public class TopTenList JFrame {Private TopTenList tt; See the Private JTextArea list; Private JTextField cmdTextField; Private JTextField resultsTestfield; // This GUI window is the code for the public toptist...
Read more

java - JPA TypedQuery: Parameter value element did not match expected type -

I am using JPA 2.0 and getting the following code in the DAO layer: Public Zero Test () {string key = "status"; String [] Conditions = {"A", "B"}; & Lt; TestTable & gt; Results = Search (Keys, Conditions); } Public listing & lt; TestTable & gt; Search (string key, object value error) {string sql = "test ndf to testlet and jade nand." + Key + "in:" + key; TypedQuery & LT; TestTable & gt; Query = entityManager.createQuery (SQL, TestTable.class); Query.setParameter (key, Arrays.asList (valueArr)) / *** Error Line *** Return query.getResultList (); } In the above error line, it throws the following exception: java.lang.IllegalArgumentException: parameter value element [[Ljava.lang.String; @ cbe5bc] did not match the expected type [java.lang.String] Why is this expected type string while actually this string []? Please help! Note: This is derived from the normal routine and is a simplified code. I can no...
Read more

c++ - static template member variable has internal linkage but is not defined -

Yes, I know, there is a question with almost the same title, but it refers to a different situation. Error message) In my case, I have a .cpp file with a big named designation name (implementation details). There is a property class template with a static data member in that name space, which I need to access from outside the unknown namespace. I give it a little bit of meat: file.hpp namespace Bar {template & lt; Typename A & gt; Struct foo {static_assert (is_same & lt; a, float & gt; :: value} is_same & lt; a, double>: value, ""); Fixed zero set_static_var (a const & x); // ...}; } and file.cpp namespace {template & lt; Typename A & gt; Struct foo_traits {// supports the implementation of several static code bars: foo & lt; & Gt; Fixed A data; }; The template's & lt; & Gt; Float foo_traits & lt; Float & gt; :: datum; // No change if this is in the global namespace template & lt; & Gt; Doub...
Read more