Dhurka
Dhurka

Reputation: 31

Secured Client-Side script

I have got a particular requirement where some critical algorithms have to be handled in the client-side script and it got to be secured. Using javascript will just expose the algorithm. I am currently evaluating ways to secure the algorithm on the client script. Appreciate any suggestions and alternative approaches.

One option I am thinking about is to download a small applet to the local PC, get the calculations done in it and update the results back. Before deciding on this, I want to know if a client script itself can be made secure coz that would be much easier.

Thanks in advance!

Upvotes: 2

Views: 973

Answers (9)

MSalters
MSalters

Reputation: 180235

Theoretically (and I mean this is a Comp.Sci. sense) this is possible. The cryptographical technique is known as "fully homomorphic encryption". For now, the method isn't practical yet. There are no compilers available that are able to transform your algorithm in its equivalent secure form.

Upvotes: 0

JoshBerke
JoshBerke

Reputation: 67128

Script is not secure, also what level of security do you need? If you download anything to the client the client will be able to look at the algorithim. Of course if you download a native dll, then decompiling it will be harder, the question is if this is good enough.

That an important thing most people miss when evaluating security nothing is trully 100% secure. Because your server admin could go in and steal the binaries off your server. And if your using third party hosting who knows who has access to the server.

The idea is to raise the bar. Do you want to prevent the average script kiddie? Obfuscate it, make it hard for them to understand the gain of understanding the algorithim might not justify the pain in trying to understand it.

The best that you can probally do is keep the algorithim on the server and expose it via a web service.

Upvotes: 3

Vinz
Vinz

Reputation: 2005

You could build a web-service containing the critical algorithm and call it from javascript.

Upvotes: 2

stpe
stpe

Reputation: 3628

Everything that the end-user is controlling to 100% may be tampered with, and this is especially true with JavaScript that is so easily exposed.

You are going down the wrong path. You need to rethink your approach.

Upvotes: 2

Kaleb Brasee
Kaleb Brasee

Reputation: 51965

It it's client-side, then it's not secure. Anything with critical security concerns should be done on the server.

Upvotes: 1

Simon P Stevens
Simon P Stevens

Reputation: 27509

Nothing on the client side can be totally "secure".

Anything you make them download will have to be run on the client PC, and so can be analysed. If you have them download an applet or a native executable, it will still contain machine instructions that can be analysed at the very least to an assembly level.

Is there no way you can have the client upload the data to your server instead and perform the calculation on the server side?

Upvotes: 1

jldupont
jldupont

Reputation: 96836

An NPAPI plugin will execute on the client-side and make reverse-engineering much more difficult.... but of course a determined hacker will be able to reach-through...

Upvotes: 0

Aiden Bell
Aiden Bell

Reputation: 28384

Bottom line is, if someone wants your logic ... they will get it unless it is server-side and they never obtain it in any way.

What you want is a Javascript obfuscator

Upvotes: 1

EFraim
EFraim

Reputation: 13058

You CANNOT secure anything on a client PC.

Everything you are doing client-side is crackable and spuffable.

That's the PC of the client. It will be doing anything the client has requested it to do.

Upvotes: 4

Related Questions