Local data
-
Server is just storage for client's encrypted data, server must not know the password. I don't worry about secrity of client's password in his browser, it is his problem to secure his computer (actually it is designed primarily for smartphones).
rrrado wrote:
server must not know the password
Then how do you indend to authenticate the users?
rrrado wrote:
I don't worry about secrity of client's password in his browser
You are a complete FOOL!
rrrado wrote:
it is his problem to secure his computer
Wrong answer. You are writing the application, it is up to you to provide the appropriate level of security for your application.
I know the language. I've read a book. - _Madmatt
-
rrrado wrote:
server must not know the password
Then how do you indend to authenticate the users?
rrrado wrote:
I don't worry about secrity of client's password in his browser
You are a complete FOOL!
rrrado wrote:
it is his problem to secure his computer
Wrong answer. You are writing the application, it is up to you to provide the appropriate level of security for your application.
I know the language. I've read a book. - _Madmatt
Mark Nischalke wrote:
Then how do you indend to authenticate the users?
It is not important in my question, it can be done by classic login form (with another pass) + cookies, or HTTP auth, or none. Let's say I've already received encrypted data from server.
Mark Nischalke wrote:
You are a complete FOOL!
Thank you, but I really think it is not possible to save password "safely" in javascript when USER decides to save it. Only to save it encrypted with some master password which would user need to type each time which does not give sense to save the first password in this case.
-
Mark Nischalke wrote:
Then how do you indend to authenticate the users?
It is not important in my question, it can be done by classic login form (with another pass) + cookies, or HTTP auth, or none. Let's say I've already received encrypted data from server.
Mark Nischalke wrote:
You are a complete FOOL!
Thank you, but I really think it is not possible to save password "safely" in javascript when USER decides to save it. Only to save it encrypted with some master password which would user need to type each time which does not give sense to save the first password in this case.
rrrado wrote:
I really think it is not possible to save password "safely" in javascript
EXACTLY!!! It doesn't matter if you use a master password of some sort, it still must be transmitted to the client and decrypted in JavaScript! The only thing you accomplish with transmitting the master password is to give someone access to ALL instances of your application, not just one. At that point you might as well not even use authentication because you have no security. Please stop posting until you learn more about what you are doing.
I know the language. I've read a book. - _Madmatt
-
rrrado wrote:
I really think it is not possible to save password "safely" in javascript
EXACTLY!!! It doesn't matter if you use a master password of some sort, it still must be transmitted to the client and decrypted in JavaScript! The only thing you accomplish with transmitting the master password is to give someone access to ALL instances of your application, not just one. At that point you might as well not even use authentication because you have no security. Please stop posting until you learn more about what you are doing.
I know the language. I've read a book. - _Madmatt
I'm afraid you don't understand what I need to do. I'll try explain in other words. I'm not solving the problem with authentication. User creates some data at his computer. Then encrypts them LOCALLY with some password and upload to server. Server does not know the password, server is not able to decrypt the data! (When somebody hacks the server, he can get the data but has no password). Then user goes to some URL with web application, downloads the data from server (don't think about authentication it is not important now). It will provide pass to JS which decrypts the data. I need to offer storing the password somewhere so he don't need to type the pass each time he opens the application in browser. If he is paranoid then he won't save the password. I was hoping somebody will know whether it is possible to force browser (from JS) to save the password into it's auto-form-filler store which fills the forms.
-
I'm afraid you don't understand what I need to do. I'll try explain in other words. I'm not solving the problem with authentication. User creates some data at his computer. Then encrypts them LOCALLY with some password and upload to server. Server does not know the password, server is not able to decrypt the data! (When somebody hacks the server, he can get the data but has no password). Then user goes to some URL with web application, downloads the data from server (don't think about authentication it is not important now). It will provide pass to JS which decrypts the data. I need to offer storing the password somewhere so he don't need to type the pass each time he opens the application in browser. If he is paranoid then he won't save the password. I was hoping somebody will know whether it is possible to force browser (from JS) to save the password into it's auto-form-filler store which fills the forms.
I'm afraid you have not been listening. So you have a password on the client machine, yes, auto-complete forms do this all the time. Now you are transmitting the encrypted data to the client for decryption by a JavaScript function. Where does the JavaScript come from? It has to be downloaded to the client which leaves it vulnerable to interception. Now your encryption algorithm is exposed along with the data. How long will it take for some script kiddie to hack in with this info? I doubt you are even using a secure protocol or know what it is or how to use it. Your ignorance is putting the client's data at risk unnecessarily and they should terminate the engagement with you. Now, once again, stop posting until you learn what you are doing.
I know the language. I've read a book. - _Madmatt
-
I'm afraid you don't understand what I need to do. I'll try explain in other words. I'm not solving the problem with authentication. User creates some data at his computer. Then encrypts them LOCALLY with some password and upload to server. Server does not know the password, server is not able to decrypt the data! (When somebody hacks the server, he can get the data but has no password). Then user goes to some URL with web application, downloads the data from server (don't think about authentication it is not important now). It will provide pass to JS which decrypts the data. I need to offer storing the password somewhere so he don't need to type the pass each time he opens the application in browser. If he is paranoid then he won't save the password. I was hoping somebody will know whether it is possible to force browser (from JS) to save the password into it's auto-form-filler store which fills the forms.
You are missing the fundamental point... The Data WILL ALWAYS come from the server.. It's useless to wrap a completely insecure process with some faux authentication that in reality does nothing.
I wasn't, now I am, then I won't be anymore.
-
You are missing the fundamental point... The Data WILL ALWAYS come from the server.. It's useless to wrap a completely insecure process with some faux authentication that in reality does nothing.
I wasn't, now I am, then I won't be anymore.
-
I'm afraid you have not been listening. So you have a password on the client machine, yes, auto-complete forms do this all the time. Now you are transmitting the encrypted data to the client for decryption by a JavaScript function. Where does the JavaScript come from? It has to be downloaded to the client which leaves it vulnerable to interception. Now your encryption algorithm is exposed along with the data. How long will it take for some script kiddie to hack in with this info? I doubt you are even using a secure protocol or know what it is or how to use it. Your ignorance is putting the client's data at risk unnecessarily and they should terminate the engagement with you. Now, once again, stop posting until you learn what you are doing.
I know the language. I've read a book. - _Madmatt
I know what am I doing. I've asked some question. If you don't know the answer, ok. If you have some ideas in area I haven't asked about, I can discuss about it, maybe we both will learn something. But why are you so offensive and writing me to stop posting? You don't know all the details about used algorithm (because it is not important to get answer to my question) but you know I'm complete fool :) If you are concerned about details I haven't wrote, just ask. FYI data is transmitted over HTTPS. The AES is used to encrypt the data. I don't know script kiddies which can crack HTTPS, then AES. Whole point is to make server unable to decrypt the data. Yes server could modify the JS to send the password back, but JS is easy to read and paranoid user can see what is it doing, or can save the HTML+JS locally and use always trusted copy. If you can see some way how can script kid steal other user's data, let me know.
-
:doh: [ Vigourosly banging head on wall, then giving up ] :doh:
I wasn't, now I am, then I won't be anymore.
-
:doh: [ Vigourosly banging head on wall, then giving up ] :doh:
I wasn't, now I am, then I won't be anymore.
Move over, save some wall for me
I know the language. I've read a book. - _Madmatt