Reputation: 271
HTML5 - offline mode, localStorage and security are on a boat
My clients wants to be able to work online and offline to manipulate data, typically create or retrieve products.
While online, he wants to uses web services and the server database, but when offline (network breakup or whatever), he wants the data to be persisted and encrypted in the localStorage.
I'm going for a javascript crypto lib, getting the password from the login page and using password derived key for the encryption passphrase. The key would be stored in a simple javascript var (the page is dynamic, so no page change).
What are your inputs on the matter and what solution would you preconise ? Any good javascript crypto lib ?
Upvotes: 6
Views: 2129
Answers (1)
Reputation: 3519
The solutions is as you say ,to derive the key from the clients password. That way you never have to store it directly. This is the technique used by last pass, a password manager. The function most people use for this is PBKDF2. Storing the key in a simple var is not really insecure in that if someone can read that var, they could read the data your client is working on. Just make sure you clear the data when the client logs out
Thankfully, this library already does almost all of these things very well and was written by real honest to god cryptographers and not some web 2.0 guy who read Bruce Schneier's book and thought they knew all there is to know about crypto.
Upvotes: 7
Related Questions
- Providing users access to offline HTML5 web applications
- HTML5 localStorage for offline websites
- HTML5 Offline Storage use case?
- html5 local storage for offline viewing
- HTML5 Local Storage Not Persistent
- Offline Mobile Web Application Storage
- HTML4 (or anything pre-HTML5) Offline Storage - What/How?
- HTML5 - Getting Started Using Offline Storage
- About HTML5 offline storage
- html 5 offline storage