SlideShare a Scribd company logo

Client Side Secure Storage

Dominik Gätjens
Dominik Gätjens
BusinessTechnology
1 of 24
Download to read offline
Why Client Side Storage? Where to store? How to store secure? Conclusion Client Side Secure Storage Scalability for free Dominik G¨tjens a Computer Science and Media Hochschule der Medien, Stuttgart 27. January 2012 Dominik G¨tjens a Client Side Secure Storage 1 of 24
Why Client Side Storage? Where to store? How to store secure? Conclusion Agenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 2 of 24
Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost Conclusion Agenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 3 of 24
Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost Conclusion HTTP is stateless ”HTTP is a stateless protocol. A stateless protocol does not require the server to retain information or status about each user for the duration of multiple requests.” – Wikipedia – Dominik G¨tjens a Client Side Secure Storage 4 of 24
Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost Conclusion HTTP Sessions are a Workaround, arent they? HTTP is build on a stateless approach no connection indicator when does a session start? when does it end? ⇒ sessions can only be closed by timeout Every open session consumes memory Dominik G¨tjens a Client Side Secure Storage 5 of 24
Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost Conclusion Server Side State Client A Server Memory Client B Session A Client C Session B Session C Client D Dominik G¨tjens a Client Side Secure Storage 6 of 24
Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost Conclusion Sessions scale very bad No simple adding of machines You have to guarantee that one user always lands on the same machine Or you have to implement a complex multi-machine session storage Dominik G¨tjens a Client Side Secure Storage 7 of 24
Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost Conclusion Scaling at no cost Build your webserver like a webservice: The client brings the data The server application consists of several independet functions Functions are without side effects so you get an easy stateless webserver which you can simply upgrade through adding machines Dominik G¨tjens a Client Side Secure Storage 8 of 24
Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling Conclusion Agenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 9 of 24
Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling Conclusion Client Side Capabilities Cookies RFC 2965: min. 20 Cookies a 4kb = 80kb pro Domain Firefox 2,3 and IE7 supports 50 cookies a 4kb = 200kb Flash-Cookies unlimited storage HTML-Markup e.g. hidden fields Javascript-RAM HTML5 Storage Dominik G¨tjens a Client Side Secure Storage 10 of 24
Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling Conclusion Transmission Performance 1000 ms 935 ms 900 ms 800 ms Typical Roundtrip Times 700 ms 598 ms 100BaseT 1ms 600 ms WLAN 10ms 500 ms DSL-6000 40ms 400 ms DSL-2000 55ms 297 ms ISDN 200ms 300 ms 209 ms 200 ms 145 ms 112 ms 100 ms 76 ms 82 ms ms 1 kB 2 kB 8 kB 16 kB 32 kB 128 kB 512 kB 1024 kB Dominik G¨tjens a Client Side Secure Storage 11 of 24
Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling Conclusion Client Side State Client A Server Session A Memory Client B Session B Client C Session C Client D Session D Dominik G¨tjens a Client Side Secure Storage 12 of 24
Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling Conclusion Client Side State Server Method Method Client State Data Check integrity Method Method Dominik G¨tjens a Client Side Secure Storage 13 of 24
Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion Agenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 14 of 24
Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion Encrypt Data Client can’t manipulate encrypted data without knowledge of encryption-key but Client can’t even read encrypted data without encryption-key Security is the same as the use Encryption-Algorithm and Key Dominik G¨tjens a Client Side Secure Storage 15 of 24
Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion Signature Don’t crypt data, just sign them Most Webserver have SSL-Certificates Use your private key to sign client-saveed data Dominik G¨tjens a Client Side Secure Storage 16 of 24
Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion Signature 1000 Samples with DSA 7 6 5 Complexity independent from Datasize 4 DSA Sign Verrification consumes a lot 3 DSA Verify of CPU-Time 2 1 0 512 B 1 KB 4 KB 1MB Dominik G¨tjens a Client Side Secure Storage 17 of 24
Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion HMAC HMAC = Keyed-Hash Message Authentication Code a cryptographic secure message authentication hmac = H(K ⊕ opad, H(K ⊕ ipad, text)) K = Key B = Blocksize opad = 0x5C repeated B times ipad = 0x36 repeated B times Popular cryptographic functions are SHA1 and MD5 Dominik G¨tjens a Client Side Secure Storage 18 of 24
Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion MD5 vs. SHA1 MD5 is faster than SHA1, isn’t it? 1 Digest Perfomance in MegaBytes per Second Pentium P5 90MHz Power Mac 80MHz SPARC 4 110 MHz MD5 13.1 3.1 5.1 SHA1 2.5 1.2 2.0 1 Bob Baldwin, RSA Data Security Inc. (1996) Dominik G¨tjens a Client Side Secure Storage 19 of 24
Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion HMAC Perfomance 1000 Samples with HMAC-SHA1 and HMAC-MD5 0,12 0,1 0,08 0,06 SHA-1 MD5 0,04 0,02 0 512 B 1 KB 4 KB 1MB Dominik G¨tjens a Client Side Secure Storage 20 of 24
Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion HMAC Perfomance 1000 Samples with HMAC-SHA1 and DSA 10 9 8 7 6 5 HMAC_SHA1 DSA Signatur 4 3 2 1 0 512 B 1 KB 4 KB 1MB Dominik G¨tjens a Client Side Secure Storage 21 of 24
Why Client Side Storage? Where to store? Conclusion How to store secure? Conclusion Agenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 22 of 24
Why Client Side Storage? Where to store? Conclusion How to store secure? Conclusion Conclusion Don’t store Information in the server session if there is any chance that you have to scale Compute HMAC-SHA1 over data that shouldn’t be alterted by the client If your Datasize is low use Cookies If your Datasize is medium use Cookies but be sure they wont be transmitted with every request If your Datasize is high youse signed HTML5-Storage or flash cookies Cryptographic Client Side Storage as secure as HTTP-Sessions Dominik G¨tjens a Client Side Secure Storage 23 of 24
Why Client Side Storage? Where to store? Conclusion How to store secure? Conclusion The End Keep your state less Further questions or discussion? Contact me at: E-Mail: info@dominik-gaetjens.de Xing: http://xing.to/gaetjens Dominik G¨tjens a Client Side Secure Storage 24 of 24

Recommended

Pm tips
Pm tipsPm tips
Pm tips
Miraj Ul Haq
 
ConnectWise and eFolder Webinar: From Destruction to Production in 72 Hours
ConnectWise and eFolder Webinar: From Destruction to Production in 72 HoursConnectWise and eFolder Webinar: From Destruction to Production in 72 Hours
ConnectWise and eFolder Webinar: From Destruction to Production in 72 Hours
Dropbox
 
Agentless backup is not a myth
Agentless backup is not a mythAgentless backup is not a myth
Agentless backup is not a myth
Global Micro Solutions
 
eFolder BDR Cost Wizard and Pricing Best Practices
eFolder BDR Cost Wizard and Pricing Best PracticeseFolder BDR Cost Wizard and Pricing Best Practices
eFolder BDR Cost Wizard and Pricing Best Practices
Dropbox
 
BDR Bake-Off: Acronis vs. Replibit vs. ShadowProtect
BDR Bake-Off: Acronis vs. Replibit vs. ShadowProtectBDR Bake-Off: Acronis vs. Replibit vs. ShadowProtect
BDR Bake-Off: Acronis vs. Replibit vs. ShadowProtect
eFolder
 
Cmssalesbasemail
CmssalesbasemailCmssalesbasemail
Cmssalesbasemail
Josvanderlinden
 
VMworld 2013: Re-imagining VDI Design: New Strategies for Solving VDI Challen...
VMworld 2013: Re-imagining VDI Design: New Strategies for Solving VDI Challen...VMworld 2013: Re-imagining VDI Design: New Strategies for Solving VDI Challen...
VMworld 2013: Re-imagining VDI Design: New Strategies for Solving VDI Challen...
VMworld
 
Presentation by Sheila Richmeier
Presentation by Sheila RichmeierPresentation by Sheila Richmeier
Presentation by Sheila Richmeier
Lawrence Medical Managers
 

Recommended

Pm tips
Pm tipsPm tips
Pm tips
Miraj Ul Haq
 
ConnectWise and eFolder Webinar: From Destruction to Production in 72 Hours
ConnectWise and eFolder Webinar: From Destruction to Production in 72 HoursConnectWise and eFolder Webinar: From Destruction to Production in 72 Hours
ConnectWise and eFolder Webinar: From Destruction to Production in 72 Hours
Dropbox
 
Agentless backup is not a myth
Agentless backup is not a mythAgentless backup is not a myth
Agentless backup is not a myth
Global Micro Solutions
 
eFolder BDR Cost Wizard and Pricing Best Practices
eFolder BDR Cost Wizard and Pricing Best PracticeseFolder BDR Cost Wizard and Pricing Best Practices
eFolder BDR Cost Wizard and Pricing Best Practices
Dropbox
 
BDR Bake-Off: Acronis vs. Replibit vs. ShadowProtect
BDR Bake-Off: Acronis vs. Replibit vs. ShadowProtectBDR Bake-Off: Acronis vs. Replibit vs. ShadowProtect
BDR Bake-Off: Acronis vs. Replibit vs. ShadowProtect
eFolder
 
Cmssalesbasemail
CmssalesbasemailCmssalesbasemail
Cmssalesbasemail
Josvanderlinden
 
VMworld 2013: Re-imagining VDI Design: New Strategies for Solving VDI Challen...
VMworld 2013: Re-imagining VDI Design: New Strategies for Solving VDI Challen...VMworld 2013: Re-imagining VDI Design: New Strategies for Solving VDI Challen...
VMworld 2013: Re-imagining VDI Design: New Strategies for Solving VDI Challen...
VMworld
 
Presentation by Sheila Richmeier
Presentation by Sheila RichmeierPresentation by Sheila Richmeier
Presentation by Sheila Richmeier
Lawrence Medical Managers
 
Accountable care organizations lawrence 101211
Accountable care organizations lawrence 101211Accountable care organizations lawrence 101211
Accountable care organizations lawrence 101211
Lawrence Medical Managers
 
ICD-10, Brenda Edwards 07.14.2010
ICD-10, Brenda Edwards 07.14.2010ICD-10, Brenda Edwards 07.14.2010
ICD-10, Brenda Edwards 07.14.2010
Lawrence Medical Managers
 
Cms aco information
Cms aco informationCms aco information
Cms aco information
Lawrence Medical Managers
 
Social networking fraud handout june 2011
Social networking fraud handout june 2011Social networking fraud handout june 2011
Social networking fraud handout june 2011
Lawrence Medical Managers
 
Facebook android sdk research
Facebook android sdk researchFacebook android sdk research
Facebook android sdk research
whykill
 
The Power of Collaboration to Build Your Own Startup
The Power of Collaboration to Build Your Own StartupThe Power of Collaboration to Build Your Own Startup
The Power of Collaboration to Build Your Own Startup
Taufan Erfiyanto
 
Android Development
Android DevelopmentAndroid Development
Android Development
Dominik Gätjens
 
Rails Sojourn: One Man's Journey - Wicked Good Ruby Conference 2013
Rails Sojourn: One Man's Journey - Wicked Good Ruby Conference 2013Rails Sojourn: One Man's Journey - Wicked Good Ruby Conference 2013
Rails Sojourn: One Man's Journey - Wicked Good Ruby Conference 2013
Mike Desjardins
 
مقدمة عن أندرويد
مقدمة عن أندرويدمقدمة عن أندرويد
مقدمة عن أندرويد
ahmed_hassan
 
Android development orientation for starters v4 seminar
Android development orientation for starters v4 seminarAndroid development orientation for starters v4 seminar
Android development orientation for starters v4 seminar
Joemarie Amparo
 
HTML5 or Android for Mobile Development?
HTML5 or Android for Mobile Development?HTML5 or Android for Mobile Development?
HTML5 or Android for Mobile Development?
Reto Meier
 
Android development - the basics, MFF UK, 2014
Android development - the basics, MFF UK, 2014Android development - the basics, MFF UK, 2014
Android development - the basics, MFF UK, 2014
Tomáš Kypta
 
Introduction to Android Development: Before Getting Started
Introduction to Android Development: Before Getting StartedIntroduction to Android Development: Before Getting Started
Introduction to Android Development: Before Getting Started
Ahsanul Karim
 
Android Development for Beginners with Sample Project - Day 1
Android Development for Beginners with Sample Project - Day 1Android Development for Beginners with Sample Project - Day 1
Android Development for Beginners with Sample Project - Day 1
Joemarie Amparo
 
Lecture 5: Storage: Saving Data Database, Files & Preferences
Lecture 5: Storage: Saving Data Database, Files & PreferencesLecture 5: Storage: Saving Data Database, Files & Preferences
Lecture 5: Storage: Saving Data Database, Files & Preferences
Ahsanul Karim
 
Android Protips: Advanced Topics for Expert Android App Developers
Android Protips: Advanced Topics for Expert Android App DevelopersAndroid Protips: Advanced Topics for Expert Android App Developers
Android Protips: Advanced Topics for Expert Android App Developers
Reto Meier
 
Android Development: Build Android App from Scratch
Android Development: Build Android App from ScratchAndroid Development: Build Android App from Scratch
Android Development: Build Android App from Scratch
Taufan Erfiyanto
 
Android Development: The Basics
Android Development: The BasicsAndroid Development: The Basics
Android Development: The Basics
Mike Desjardins
 
Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)
Ahsanul Karim
 
Mobile Application Development With Android
Mobile Application Development With AndroidMobile Application Development With Android
Mobile Application Development With Android
guest213e237
 
Webinar: Making The Always-On Data Center A Reality
Webinar: Making The Always-On Data Center A RealityWebinar: Making The Always-On Data Center A Reality
Webinar: Making The Always-On Data Center A Reality
Storage Switzerland
 
Webinar: What’s Breaking Your VMware Backups? And How You Can Fix Them Quickly
Webinar: What’s Breaking Your VMware Backups? And How You Can Fix Them QuicklyWebinar: What’s Breaking Your VMware Backups? And How You Can Fix Them Quickly
Webinar: What’s Breaking Your VMware Backups? And How You Can Fix Them Quickly
Storage Switzerland
 

More Related Content

Viewers also liked

Accountable care organizations lawrence 101211
Accountable care organizations lawrence 101211Accountable care organizations lawrence 101211
Accountable care organizations lawrence 101211
Lawrence Medical Managers
 
Facebook android sdk research
Facebook android sdk researchFacebook android sdk research
Facebook android sdk research
whykill
 
Android Development: Build Android App from Scratch
Android Development: Build Android App from ScratchAndroid Development: Build Android App from Scratch
Android Development: Build Android App from Scratch
Taufan Erfiyanto
 
Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)
Ahsanul Karim
 

Viewers also liked (20)

Accountable care organizations lawrence 101211
Accountable care organizations lawrence 101211Accountable care organizations lawrence 101211
Accountable care organizations lawrence 101211
 
ICD-10, Brenda Edwards 07.14.2010
ICD-10, Brenda Edwards 07.14.2010ICD-10, Brenda Edwards 07.14.2010
ICD-10, Brenda Edwards 07.14.2010
 
Cms aco information
Cms aco informationCms aco information
Cms aco information
 
Social networking fraud handout june 2011
Social networking fraud handout june 2011Social networking fraud handout june 2011
Social networking fraud handout june 2011
 
Facebook android sdk research
Facebook android sdk researchFacebook android sdk research
Facebook android sdk research
 
The Power of Collaboration to Build Your Own Startup
The Power of Collaboration to Build Your Own StartupThe Power of Collaboration to Build Your Own Startup
The Power of Collaboration to Build Your Own Startup
 
Android Development
Android DevelopmentAndroid Development
Android Development
 
Rails Sojourn: One Man's Journey - Wicked Good Ruby Conference 2013
Rails Sojourn: One Man's Journey - Wicked Good Ruby Conference 2013Rails Sojourn: One Man's Journey - Wicked Good Ruby Conference 2013
Rails Sojourn: One Man's Journey - Wicked Good Ruby Conference 2013
 
مقدمة عن أندرويد
مقدمة عن أندرويدمقدمة عن أندرويد
مقدمة عن أندرويد
 
Android development orientation for starters v4 seminar
Android development orientation for starters v4 seminarAndroid development orientation for starters v4 seminar
Android development orientation for starters v4 seminar
 
HTML5 or Android for Mobile Development?
HTML5 or Android for Mobile Development?HTML5 or Android for Mobile Development?
HTML5 or Android for Mobile Development?
 
Android development - the basics, MFF UK, 2014
Android development - the basics, MFF UK, 2014Android development - the basics, MFF UK, 2014
Android development - the basics, MFF UK, 2014
 
Introduction to Android Development: Before Getting Started
Introduction to Android Development: Before Getting StartedIntroduction to Android Development: Before Getting Started
Introduction to Android Development: Before Getting Started
 
Android Development for Beginners with Sample Project - Day 1
Android Development for Beginners with Sample Project - Day 1Android Development for Beginners with Sample Project - Day 1
Android Development for Beginners with Sample Project - Day 1
 
Lecture 5: Storage: Saving Data Database, Files & Preferences
Lecture 5: Storage: Saving Data Database, Files & PreferencesLecture 5: Storage: Saving Data Database, Files & Preferences
Lecture 5: Storage: Saving Data Database, Files & Preferences
 
Android Protips: Advanced Topics for Expert Android App Developers
Android Protips: Advanced Topics for Expert Android App DevelopersAndroid Protips: Advanced Topics for Expert Android App Developers
Android Protips: Advanced Topics for Expert Android App Developers
 
Android Development: Build Android App from Scratch
Android Development: Build Android App from ScratchAndroid Development: Build Android App from Scratch
Android Development: Build Android App from Scratch
 
Android Development: The Basics
Android Development: The BasicsAndroid Development: The Basics
Android Development: The Basics
 
Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)
 
Mobile Application Development With Android
Mobile Application Development With AndroidMobile Application Development With Android
Mobile Application Development With Android
 

Similar to Client Side Secure Storage

Webinar: Making The Always-On Data Center A Reality
Webinar: Making The Always-On Data Center A RealityWebinar: Making The Always-On Data Center A Reality
Webinar: Making The Always-On Data Center A Reality
Storage Switzerland
 
Guarantee Hyper-V App Performance With Hyper-V Software Defined Storage
Guarantee Hyper-V App Performance With Hyper-V Software Defined StorageGuarantee Hyper-V App Performance With Hyper-V Software Defined Storage
Guarantee Hyper-V App Performance With Hyper-V Software Defined Storage
Storage Switzerland
 
Webinar: Does Object Storage Make Sense for Backups?
Webinar: Does Object Storage Make Sense for Backups?Webinar: Does Object Storage Make Sense for Backups?
Webinar: Does Object Storage Make Sense for Backups?
Storage Switzerland
 
Hybrid Cloud-DR & Migration
Hybrid Cloud-DR & Migration Hybrid Cloud-DR & Migration
Hybrid Cloud-DR & Migration
Vidhya N
 
Webinar: The Three Reasons Cloud Backup is Broken and How to Fix It
Webinar: The Three Reasons Cloud Backup is Broken and How to Fix ItWebinar: The Three Reasons Cloud Backup is Broken and How to Fix It
Webinar: The Three Reasons Cloud Backup is Broken and How to Fix It
Storage Switzerland
 

Similar to Client Side Secure Storage (20)

Webinar: Making The Always-On Data Center A Reality
Webinar: Making The Always-On Data Center A RealityWebinar: Making The Always-On Data Center A Reality
Webinar: Making The Always-On Data Center A Reality
 
Webinar: What’s Breaking Your VMware Backups? And How You Can Fix Them Quickly
Webinar: What’s Breaking Your VMware Backups? And How You Can Fix Them QuicklyWebinar: What’s Breaking Your VMware Backups? And How You Can Fix Them Quickly
Webinar: What’s Breaking Your VMware Backups? And How You Can Fix Them Quickly
 
Webinar: Is Your Storage Ready for Disaster?
Webinar: Is Your Storage Ready for Disaster?Webinar: Is Your Storage Ready for Disaster?
Webinar: Is Your Storage Ready for Disaster?
 
Guarantee Hyper-V App Performance With Hyper-V Software Defined Storage
Guarantee Hyper-V App Performance With Hyper-V Software Defined StorageGuarantee Hyper-V App Performance With Hyper-V Software Defined Storage
Guarantee Hyper-V App Performance With Hyper-V Software Defined Storage
 
Webinar: Does Object Storage Make Sense for Backups?
Webinar: Does Object Storage Make Sense for Backups?Webinar: Does Object Storage Make Sense for Backups?
Webinar: Does Object Storage Make Sense for Backups?
 
Gwava con one thing we can do better
Gwava con one thing we can do betterGwava con one thing we can do better
Gwava con one thing we can do better
 
Germany Dedicated Server for Your Business-converted.pdf
Germany Dedicated Server for Your Business-converted.pdfGermany Dedicated Server for Your Business-converted.pdf
Germany Dedicated Server for Your Business-converted.pdf
 
BackupAgent and LabTech webinar - how to leverage cloud backup to increase pr...
BackupAgent and LabTech webinar - how to leverage cloud backup to increase pr...BackupAgent and LabTech webinar - how to leverage cloud backup to increase pr...
BackupAgent and LabTech webinar - how to leverage cloud backup to increase pr...
 
Webinar: Moving the Enterprise Backup to the Cloud – A Step-By-Step Guide
Webinar: Moving the Enterprise Backup to the Cloud – A Step-By-Step GuideWebinar: Moving the Enterprise Backup to the Cloud – A Step-By-Step Guide
Webinar: Moving the Enterprise Backup to the Cloud – A Step-By-Step Guide
 
Hybrid Cloud-DR & Migration
Hybrid Cloud-DR & Migration Hybrid Cloud-DR & Migration
Hybrid Cloud-DR & Migration
 
PCTY 2012, Tivoli Storage Strategi og Portfolio Update v. Greg Tevis
PCTY 2012, Tivoli Storage Strategi og Portfolio Update v. Greg TevisPCTY 2012, Tivoli Storage Strategi og Portfolio Update v. Greg Tevis
PCTY 2012, Tivoli Storage Strategi og Portfolio Update v. Greg Tevis
 
Webinar: 10 Reasons Why Backup Breaks and How to Fix It
Webinar: 10 Reasons Why Backup Breaks and How to Fix ItWebinar: 10 Reasons Why Backup Breaks and How to Fix It
Webinar: 10 Reasons Why Backup Breaks and How to Fix It
 
VMworld 2013: Low-Cost, High-Performance Storage for VMware Horizon Desktops
VMworld 2013: Low-Cost, High-Performance Storage for VMware Horizon Desktops VMworld 2013: Low-Cost, High-Performance Storage for VMware Horizon Desktops
VMworld 2013: Low-Cost, High-Performance Storage for VMware Horizon Desktops
 
Designing Cloud Backup to reduce DR downtime for IT Professionals
Designing Cloud Backup to reduce DR downtime for IT ProfessionalsDesigning Cloud Backup to reduce DR downtime for IT Professionals
Designing Cloud Backup to reduce DR downtime for IT Professionals
 
Webinar: How to Leverage Cloud Storage for Hybrid VMware
Webinar: How to Leverage Cloud Storage for Hybrid VMwareWebinar: How to Leverage Cloud Storage for Hybrid VMware
Webinar: How to Leverage Cloud Storage for Hybrid VMware
 
Webinar: 5 Reasons Primary Cloud Storage is Broken and How to Fix them
Webinar: 5 Reasons Primary Cloud Storage is Broken and How to Fix themWebinar: 5 Reasons Primary Cloud Storage is Broken and How to Fix them
Webinar: 5 Reasons Primary Cloud Storage is Broken and How to Fix them
 
eFolder Partner Chat Webinar — Spring Cleaning: Getting Your Clients to Ditch...
eFolder Partner Chat Webinar — Spring Cleaning: Getting Your Clients to Ditch...eFolder Partner Chat Webinar — Spring Cleaning: Getting Your Clients to Ditch...
eFolder Partner Chat Webinar — Spring Cleaning: Getting Your Clients to Ditch...
 
Webinar: The Three Reasons Cloud Backup is Broken and How to Fix It
Webinar: The Three Reasons Cloud Backup is Broken and How to Fix ItWebinar: The Three Reasons Cloud Backup is Broken and How to Fix It
Webinar: The Three Reasons Cloud Backup is Broken and How to Fix It
 
Webinar NETGEAR - Acronis & Netgear, demo di soluzione di Disaster Recovery e...
Webinar NETGEAR - Acronis & Netgear, demo di soluzione di Disaster Recovery e...Webinar NETGEAR - Acronis & Netgear, demo di soluzione di Disaster Recovery e...
Webinar NETGEAR - Acronis & Netgear, demo di soluzione di Disaster Recovery e...
 
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
 

Recently uploaded

Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
gargpaaro
 
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
vineshkumarsajnani12
 
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
pujan9679
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
pr788182
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
ZurliaSoop
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 

Recently uploaded (20)

Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
 
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
 
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
 
WheelTug Short Pitch Deck 2024 | Byond Insights
WheelTug Short Pitch Deck 2024 | Byond InsightsWheelTug Short Pitch Deck 2024 | Byond Insights
WheelTug Short Pitch Deck 2024 | Byond Insights
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service AvailableBerhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
 
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NSCROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 

Client Side Secure Storage

  • 1. Why Client Side Storage? Where to store? How to store secure? Conclusion Client Side Secure Storage Scalability for free Dominik G¨tjens a Computer Science and Media Hochschule der Medien, Stuttgart 27. January 2012 Dominik G¨tjens a Client Side Secure Storage 1 of 24
  • 2. Why Client Side Storage? Where to store? How to store secure? Conclusion Agenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 2 of 24
  • 3. Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost Conclusion Agenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 3 of 24
  • 4. Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost Conclusion HTTP is stateless ”HTTP is a stateless protocol. A stateless protocol does not require the server to retain information or status about each user for the duration of multiple requests.” – Wikipedia – Dominik G¨tjens a Client Side Secure Storage 4 of 24
  • 5. Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost Conclusion HTTP Sessions are a Workaround, arent they? HTTP is build on a stateless approach no connection indicator when does a session start? when does it end? ⇒ sessions can only be closed by timeout Every open session consumes memory Dominik G¨tjens a Client Side Secure Storage 5 of 24
  • 6. Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost Conclusion Server Side State Client A Server Memory Client B Session A Client C Session B Session C Client D Dominik G¨tjens a Client Side Secure Storage 6 of 24
  • 7. Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost Conclusion Sessions scale very bad No simple adding of machines You have to guarantee that one user always lands on the same machine Or you have to implement a complex multi-machine session storage Dominik G¨tjens a Client Side Secure Storage 7 of 24
  • 8. Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost Conclusion Scaling at no cost Build your webserver like a webservice: The client brings the data The server application consists of several independet functions Functions are without side effects so you get an easy stateless webserver which you can simply upgrade through adding machines Dominik G¨tjens a Client Side Secure Storage 8 of 24
  • 9. Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling Conclusion Agenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 9 of 24
  • 10. Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling Conclusion Client Side Capabilities Cookies RFC 2965: min. 20 Cookies a 4kb = 80kb pro Domain Firefox 2,3 and IE7 supports 50 cookies a 4kb = 200kb Flash-Cookies unlimited storage HTML-Markup e.g. hidden fields Javascript-RAM HTML5 Storage Dominik G¨tjens a Client Side Secure Storage 10 of 24
  • 11. Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling Conclusion Transmission Performance 1000 ms 935 ms 900 ms 800 ms Typical Roundtrip Times 700 ms 598 ms 100BaseT 1ms 600 ms WLAN 10ms 500 ms DSL-6000 40ms 400 ms DSL-2000 55ms 297 ms ISDN 200ms 300 ms 209 ms 200 ms 145 ms 112 ms 100 ms 76 ms 82 ms ms 1 kB 2 kB 8 kB 16 kB 32 kB 128 kB 512 kB 1024 kB Dominik G¨tjens a Client Side Secure Storage 11 of 24
  • 12. Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling Conclusion Client Side State Client A Server Session A Memory Client B Session B Client C Session C Client D Session D Dominik G¨tjens a Client Side Secure Storage 12 of 24
  • 13. Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling Conclusion Client Side State Server Method Method Client State Data Check integrity Method Method Dominik G¨tjens a Client Side Secure Storage 13 of 24
  • 14. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion Agenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 14 of 24
  • 15. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion Encrypt Data Client can’t manipulate encrypted data without knowledge of encryption-key but Client can’t even read encrypted data without encryption-key Security is the same as the use Encryption-Algorithm and Key Dominik G¨tjens a Client Side Secure Storage 15 of 24
  • 16. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion Signature Don’t crypt data, just sign them Most Webserver have SSL-Certificates Use your private key to sign client-saveed data Dominik G¨tjens a Client Side Secure Storage 16 of 24
  • 17. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion Signature 1000 Samples with DSA 7 6 5 Complexity independent from Datasize 4 DSA Sign Verrification consumes a lot 3 DSA Verify of CPU-Time 2 1 0 512 B 1 KB 4 KB 1MB Dominik G¨tjens a Client Side Secure Storage 17 of 24
  • 18. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion HMAC HMAC = Keyed-Hash Message Authentication Code a cryptographic secure message authentication hmac = H(K ⊕ opad, H(K ⊕ ipad, text)) K = Key B = Blocksize opad = 0x5C repeated B times ipad = 0x36 repeated B times Popular cryptographic functions are SHA1 and MD5 Dominik G¨tjens a Client Side Secure Storage 18 of 24
  • 19. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion MD5 vs. SHA1 MD5 is faster than SHA1, isn’t it? 1 Digest Perfomance in MegaBytes per Second Pentium P5 90MHz Power Mac 80MHz SPARC 4 110 MHz MD5 13.1 3.1 5.1 SHA1 2.5 1.2 2.0 1 Bob Baldwin, RSA Data Security Inc. (1996) Dominik G¨tjens a Client Side Secure Storage 19 of 24
  • 20. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion HMAC Perfomance 1000 Samples with HMAC-SHA1 and HMAC-MD5 0,12 0,1 0,08 0,06 SHA-1 MD5 0,04 0,02 0 512 B 1 KB 4 KB 1MB Dominik G¨tjens a Client Side Secure Storage 20 of 24
  • 21. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes Conclusion HMAC Perfomance 1000 Samples with HMAC-SHA1 and DSA 10 9 8 7 6 5 HMAC_SHA1 DSA Signatur 4 3 2 1 0 512 B 1 KB 4 KB 1MB Dominik G¨tjens a Client Side Secure Storage 21 of 24
  • 22. Why Client Side Storage? Where to store? Conclusion How to store secure? Conclusion Agenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 22 of 24
  • 23. Why Client Side Storage? Where to store? Conclusion How to store secure? Conclusion Conclusion Don’t store Information in the server session if there is any chance that you have to scale Compute HMAC-SHA1 over data that shouldn’t be alterted by the client If your Datasize is low use Cookies If your Datasize is medium use Cookies but be sure they wont be transmitted with every request If your Datasize is high youse signed HTML5-Storage or flash cookies Cryptographic Client Side Storage as secure as HTTP-Sessions Dominik G¨tjens a Client Side Secure Storage 23 of 24
  • 24. Why Client Side Storage? Where to store? Conclusion How to store secure? Conclusion The End Keep your state less Further questions or discussion? Contact me at: E-Mail: info@dominik-gaetjens.de Xing: http://xing.to/gaetjens Dominik G¨tjens a Client Side Secure Storage 24 of 24