Reputation: 683
Data Encryption With breeze
make it quick: we are going to publish our web site soon, our task is to provide live scores, and we are paying money to get live result as fast as possible.
we do not force user to log-in to see the latest result, so we don't like somebody calling some URL and get the result by our web site
currently we are using breeze and we are really happy about it and it's functionality ((hello Ward)) all i want is to encrypt data on the server and decrypt it on the client. i know it's not very efficient but for now it's enough (just to makes it hard) and i know i can use hand made js to handle this situation, but i will lost breeze + knockout functionality if i encrypt server response (json) , other thing that i can do is to encrypt just data (column by column) it will not killing me to encrypt on server and decrypt on client (i hope not in bio-direction)
I'm looking for something cleaner to hide this complication and allow me not think about it.
(in nutshell: we are not bank, just when somebody hit this url: xxxxx/breeze/api/soccer does not get human readable result (and one step a head of base64, i don't call it encryption or security))
Upvotes: 1
Views: 421
Answers (1)
Reputation: 17863
If I understand correctly, you want someone who hits the raw API to believe that the data are encrypted. Your client app will know better and "decrypt" to readable form.
I don't have a JS library for simulating crypto. You can find something on the web (checkout crypto-js). If I had one, and I wanted it to be as unobtrusive as possible for the client developer ... which is the essence of your question I think ... than I would put the "decrypt" inside my custom JsonResultsAdapter. That's the easy place to morph incoming data bits before the app sees them.
It's a different question if you want to "encrypt" them for save. I think you said that is not an issue at the moment.
You do realize that this is an exercise in security-through-obscurity. If that is good enough, then carry on. If you need real confidentiality, well forget about that in pure JavaScript. You cannot do serious encryption in a browser with JavaScript today. Don't believe anyone who tells you otherwise (see "Javascript Cryptography Considered Harmful"). The only appropriate thing to do is require authentication and use HTTPS from beginning to end. So all the security gurus tell me.
Upvotes: 1
Related Questions
- Add custom data to breeze metadata on server
- how to secure add or delete entities with breezejs
- Breeze importEntities
- breezejs how to using as datasource
- breeze: creating client-side entities with data coming from third-party service
- Breeze and Data Access SOA
- Breeze: how to make the original values map more secure
- Securing Breeze on the server to prevent malicious updates to foreign keys
- Saving Data Using Breeze.js
- Client side Breeze JS