HTML5 - offline mode, localStorage and security are on the boat

My customers want to work online and offline to manage data, usually to create or retrieve products.

In online mode, he wants to use web services and the server database, but when it is disconnected (network outages or something else), he wants the data to be saved and encrypted in localStorage .

I am going to use javascript crypto lib, getting the password from the login page and using the password obtained by the key for the encryption passphrase. The key will be stored in plain javascript var (the page is dynamic, so no page change).

What are your materials on this issue and what solution would you envisage? Any good javascript crypto lib?

+6
source share
1 answer

The solutions, as you say, derive the key from the clients password. Therefore, you should never store it directly. This is the method used by the last pass, password manager. The function that most people use for this is PBKDF2. Storing a key in a simple var is not really unsure that if someone can read this var, they can read the data your client is working on. Just make sure you clear the data when the client logs out

Fortunately, this library already does almost all of these things very well and is actually written honestly with the cryptographers of the gods, and not with some kind of website 2.0 who read the book of Bruce Schneier and thought that they know everything they need to know about cryptography.

+7
source

Source: https://habr.com/ru/post/917084/


All Articles