Securing Client Side Data

4,660 views
4,286 views

Published on

Andrew Duncan at ModUX 2013
http://moduxcon.com

Published in: Technology, Education
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,660
On SlideShare
0
From Embeds
0
Number of Embeds
25
Actions
Shares
0
Downloads
39
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Securing Client Side Data

  1. 1. Securing Client-Side Data Andrew Duncan, Co-Founder, SwarmOnline @andrewmduncan andrew@swarmonline.com Monday, 23 September 13
  2. 2. Monday, 23 September 13
  3. 3. Why store client-side? Monday, 23 September 13
  4. 4. Improve performance Monday, 23 September 13
  5. 5. Make the app work offline Monday, 23 September 13
  6. 6. Where can we store our Data? Monday, 23 September 13
  7. 7. LocalStorage Cookies WebSQL IndexedDB SessionStorage Monday, 23 September 13
  8. 8. HTML5 Storage is not secure Can we do something about that? Monday, 23 September 13
  9. 9. HTML5 Storage and Security - Not Encrypted - It can’t be trusted - Don’t store session identifiers - Only cookies can use the httpOnly flag - SessionStorage probably our best option Monday, 23 September 13
  10. 10. JavaScript can help us... maybe Monday, 23 September 13
  11. 11. Watch out for libraries not maintained by Cryptographers Monday, 23 September 13
  12. 12. Crypto-JS - Collection of Security Algorithms - MD5, PBKDF2, AES etc... - Easy to use - https://code.google.com/p/crypto-js/ Monday, 23 September 13
  13. 13. Stanford JavaScript Crypto Library - Stanford Javascript Crypto Library - AES - http://crypto.stanford.edu/sjcl/ Monday, 23 September 13
  14. 14. https://github.com/bitwiseshiftleft/sjcl/contributors Still Maintained Monday, 23 September 13
  15. 15. var encryptedData = sjcl.encrypt('Amsterdam', 'ModUXCon'); //"{ // "iv": "/mx7CEihT3d7SOwwE7xrWA", // "v": 1, // "iter": 1000, // "ks": 128, // "ts": 64, // "mode": "ccm", // "adata": "", // "cipher": "aes", // "salt": "zWAyQczJww4", // "ct": "nyBREOy9jjrMbQARklcvJg" //}" var data = sjcl.decrypt('Amsterdam', encryptedData); //data = "ModUXCon" Monday, 23 September 13
  16. 16. The users password is a good key, particularly when used with a key derivation function. Monday, 23 September 13
  17. 17. Override Ext.encode & Ext.decode - Straightforward approach - Useful if ALL JSON is encrypted - Could also write your own extended functions -Ext.JSON.encodeEncrypted() -Ext.JSON.decodeEncrypted() Monday, 23 September 13
  18. 18. this.encode = function() { var ec; return function(o) { if (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return ec(o); }; }(); Monday, 23 September 13
  19. 19. this.encode = function() { var ec; return function(o) { if (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return sjcl.encrypt('KEY', ec(o)); }; }(); Monday, 23 September 13
  20. 20. this.decode = function() { var dc; return function(json, safe) { if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return dc(json); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } }; }(); Monday, 23 September 13
  21. 21. this.decode = function() { var dc; return function(json, safe) { if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return sjcl.decrypt('KEY', dc(json)); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } }; }(); Monday, 23 September 13
  22. 22. Overriding The Proxy - Provides more flexibility - Doesn’t have a knock-on effect across the rest of your app - Not all Proxies use JSON (e.g. SQL) Monday, 23 September 13
  23. 23. getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue; if (!item) { return undefined; } rawData = Ext.decode(item); ... } return this.cache[id]; } Monday, 23 September 13
  24. 24. getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue; if (!item) { return undefined; } rawData = sjcl.decrypt('KEY', Ext.decode(item)); ... } return this.cache[id]; } Monday, 23 September 13
  25. 25. setRecord: function(record, id) { ... try { obj.setItem(key, Ext.encode(data)); } catch(e){ this.fireEvent('exception', this, e); } record.commit(); } Monday, 23 September 13
  26. 26. setRecord: function(record, id) { ... try { obj.setItem(key, sjcl.encrypt('KEY', Ext.encode(data))); } catch(e){ this.fireEvent('exception', this, e); } record.commit(); } Monday, 23 September 13
  27. 27. W3C Web Cryptography Working Group Monday, 23 September 13
  28. 28. Hybrid App Containers - Filesystem storage - Data Storage Options Monday, 23 September 13
  29. 29. PhoneGap - Hardware Encryption - limited by platform - Use SQLLite Plugin - SQLCipher - Open Source - 256-bit encryption - http://brodyspark.blogspot.co.uk/ - Don’t store the key - derive from users password Monday, 23 September 13
  30. 30. RhoMobile - Similar to PhoneGap - Rhom Local Database - SQLite Database - SQLite Encryption Extension (SEE) - All or nothing switch Monday, 23 September 13
  31. 31. Sencha Space - Secure data stores - Secured LocalStorage - Secure Files API - Remove app access to make the data inaccessible Monday, 23 September 13
  32. 32. Remote Wiping Data - Use a mobile device management (MDM) suite - AirWatch - Soti MobiControl - Sencha Space Monday, 23 September 13
  33. 33. Questions? Monday, 23 September 13

×