Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Client Side Secure Storage

885 views

Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

Client Side Secure Storage

  1. 1. Why Client Side Storage? Where to store? How to store secure? Conclusion Client Side Secure Storage Scalability for free Dominik G¨tjens a Computer Science and Media Hochschule der Medien, Stuttgart 27. January 2012 Dominik G¨tjens a Client Side Secure Storage 1 of 24
  2. 2. Why Client Side Storage? Where to store? How to store secure? ConclusionAgenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 2 of 24
  3. 3. Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost ConclusionAgenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 3 of 24
  4. 4. Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost ConclusionHTTP is stateless ”HTTP is a stateless protocol. A stateless protocol does not require the server to retain information or status about each user for the duration of multiple requests.” – Wikipedia – Dominik G¨tjens a Client Side Secure Storage 4 of 24
  5. 5. Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost ConclusionHTTP Sessions are a Workaround, arent they? HTTP is build on a stateless approach no connection indicator when does a session start? when does it end? ⇒ sessions can only be closed by timeout Every open session consumes memory Dominik G¨tjens a Client Side Secure Storage 5 of 24
  6. 6. Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost ConclusionServer Side State Client A Server Memory Client B Session A Client C Session B Session C Client D Dominik G¨tjens a Client Side Secure Storage 6 of 24
  7. 7. Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost ConclusionSessions scale very bad No simple adding of machines You have to guarantee that one user always lands on the same machine Or you have to implement a complex multi-machine session storage Dominik G¨tjens a Client Side Secure Storage 7 of 24
  8. 8. Why Client Side Storage? Sessions are a workaround Where to store? Sessions scale very bad How to store secure? Scaling at no cost ConclusionScaling at no cost Build your webserver like a webservice: The client brings the data The server application consists of several independet functions Functions are without side effects so you get an easy stateless webserver which you can simply upgrade through adding machines Dominik G¨tjens a Client Side Secure Storage 8 of 24
  9. 9. Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling ConclusionAgenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 9 of 24
  10. 10. Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling ConclusionClient Side Capabilities Cookies RFC 2965: min. 20 Cookies a 4kb = 80kb pro Domain Firefox 2,3 and IE7 supports 50 cookies a 4kb = 200kb Flash-Cookies unlimited storage HTML-Markup e.g. hidden fields Javascript-RAM HTML5 Storage Dominik G¨tjens a Client Side Secure Storage 10 of 24
  11. 11. Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling ConclusionTransmission Performance1000 ms 935 ms 900 ms 800 ms Typical Roundtrip Times 700 ms 598 ms 100BaseT 1ms 600 ms WLAN 10ms 500 ms DSL-6000 40ms 400 ms DSL-2000 55ms 297 ms ISDN 200ms 300 ms 209 ms 200 ms 145 ms 112 ms 100 ms 76 ms 82 ms ms 1 kB 2 kB 8 kB 16 kB 32 kB 128 kB 512 kB 1024 kB Dominik G¨tjens a Client Side Secure Storage 11 of 24
  12. 12. Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling ConclusionClient Side State Client A Server Session A Memory Client B Session B Client C Session C Client D Session D Dominik G¨tjens a Client Side Secure Storage 12 of 24
  13. 13. Why Client Side Storage? Client Side Capabilities Where to store? Transmission Performance How to store secure? Client Side Scaling ConclusionClient Side State Server Method Method Client State Data Check integrity Method Method Dominik G¨tjens a Client Side Secure Storage 13 of 24
  14. 14. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes ConclusionAgenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 14 of 24
  15. 15. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes ConclusionEncrypt Data Client can’t manipulate encrypted data without knowledge of encryption-key but Client can’t even read encrypted data without encryption-key Security is the same as the use Encryption-Algorithm and Key Dominik G¨tjens a Client Side Secure Storage 15 of 24
  16. 16. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes ConclusionSignature Don’t crypt data, just sign them Most Webserver have SSL-Certificates Use your private key to sign client-saveed data Dominik G¨tjens a Client Side Secure Storage 16 of 24
  17. 17. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes ConclusionSignature 1000 Samples with DSA765 Complexity independent from Datasize4 DSA Sign Verrification consumes a lot3 DSA Verify of CPU-Time210 512 B 1 KB 4 KB 1MB Dominik G¨tjens a Client Side Secure Storage 17 of 24
  18. 18. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes ConclusionHMAC HMAC = Keyed-Hash Message Authentication Code a cryptographic secure message authentication hmac = H(K ⊕ opad, H(K ⊕ ipad, text)) K = Key B = Blocksize opad = 0x5C repeated B times ipad = 0x36 repeated B times Popular cryptographic functions are SHA1 and MD5 Dominik G¨tjens a Client Side Secure Storage 18 of 24
  19. 19. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes ConclusionMD5 vs. SHA1 MD5 is faster than SHA1, isn’t it? 1 Digest Perfomance in MegaBytes per Second Pentium P5 90MHz Power Mac 80MHz SPARC 4 110 MHz MD5 13.1 3.1 5.1 SHA1 2.5 1.2 2.0 1 Bob Baldwin, RSA Data Security Inc. (1996) Dominik G¨tjens a Client Side Secure Storage 19 of 24
  20. 20. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes ConclusionHMAC Perfomance 1000 Samples with HMAC-SHA1 and HMAC-MD5 0,12 0,1 0,08 0,06 SHA-1 MD5 0,04 0,02 0 512 B 1 KB 4 KB 1MB Dominik G¨tjens a Client Side Secure Storage 20 of 24
  21. 21. Why Client Side Storage? Encrypt Data Where to store? Signatures How to store secure? Message Authentication Codes ConclusionHMAC Perfomance 1000 Samples with HMAC-SHA1 and DSA 10 9 8 7 6 5 HMAC_SHA1 DSA Signatur 4 3 2 1 0 512 B 1 KB 4 KB 1MB Dominik G¨tjens a Client Side Secure Storage 21 of 24
  22. 22. Why Client Side Storage? Where to store? Conclusion How to store secure? ConclusionAgenda 1 Why Client Side Storage? Sessions are a workaround Sessions scale very bad Scaling at no cost 2 Where to store? Client Side Capabilities Transmission Performance Client Side Scaling 3 How to store secure? Encrypt Data Signatures Message Authentication Codes 4 Conclusion Conclusion Dominik G¨tjens a Client Side Secure Storage 22 of 24
  23. 23. Why Client Side Storage? Where to store? Conclusion How to store secure? ConclusionConclusion Don’t store Information in the server session if there is any chance that you have to scale Compute HMAC-SHA1 over data that shouldn’t be alterted by the client If your Datasize is low use Cookies If your Datasize is medium use Cookies but be sure they wont be transmitted with every request If your Datasize is high youse signed HTML5-Storage or flash cookies Cryptographic Client Side Storage as secure as HTTP-Sessions Dominik G¨tjens a Client Side Secure Storage 23 of 24
  24. 24. Why Client Side Storage? Where to store? Conclusion How to store secure? ConclusionThe End Keep your state less Further questions or discussion? Contact me at: E-Mail: info@dominik-gaetjens.de Xing: http://xing.to/gaetjens Dominik G¨tjens a Client Side Secure Storage 24 of 24

×