Securing Client-Side Data

Securing Client-Side Data Andrew Duncan, Co-Founder, SwarmOnline @andrewmduncan [email protected] Wednesday,
25 September 13

Wednesday, 25 September 13

Why store client-side? Wednesday, 25 September 13

Improve performance Wednesday, 25 September 13

Make the app work o ine Wednesday, 25 September 13

Where can we store our Data? Wednesday, 25 September 13

LocalStorage Cookies WebSQL IndexedDB SessionStorage Wednesday, 25 September 13

HTML5 Storage is not secure Can we do something about
that? Wednesday, 25 September 13

HTML5 Storage and Security -Not Encrypted -It can’t be trusted
-Don’t store session identiﬁers -Only cookies can use the httpOnly ﬂag -SessionStorage probably our best option Wednesday, 25 September 13

JavaScript can help us... maybe Wednesday, 25 September 13

Watch out for libraries not maintained by Cryptographers Wednesday, 25
September 13

Crypto-JS -Collection of Security Algorithms -MD5, PBKDF2, AES etc... -Easy
to use -https://code.google.com/p/crypto-js/ Wednesday, 25 September 13

Stanford JavaScript Crypto Library -Stanford Javascript Crypto Library -AES -http://crypto.stanford.edu/sjcl/
Wednesday, 25 September 13

https://github.com/bitwiseshiftleft/sjcl/contributors Still Maintained Wednesday, 25 September 13

var encryptedData = sjcl.encrypt('Amsterdam', 'ModUXCon'); //"{ // "iv": "/mx7CEihT3d7SOwwE7xrWA", //
"v": 1, // "iter": 1000, // "ks": 128, // "ts": 64, // "mode": "ccm", // "adata": "", // "cipher": "aes", // "salt": "zWAyQczJww4", // "ct": "nyBREOy9jjrMbQARklcvJg" //}" var data = sjcl.decrypt('Amsterdam', encryptedData); //data = "ModUXCon" Wednesday, 25 September 13

The users password is a good key, particularly when used
with a key derivation function. Wednesday, 25 September 13

Override Ext.encode & Ext.decode -Straightforward approach -Useful if ALL JSON
is encrypted -Could also write your own extended functions -Ext.JSON.encodeEncrypted() -Ext.JSON.decodeEncrypted() Wednesday, 25 September 13

this.encode = function() { var ec; return function(o) { if
(!ec) { // setup encoding function on ﬁrst access ec = isNative() ? JSON.stringify : doEncode; } return ec(o); }; }(); Wednesday, 25 September 13

this.encode = function() { var ec; return function(o) { if
(!ec) { // setup encoding function on ﬁrst access ec = isNative() ? JSON.stringify : doEncode; } return sjcl.encrypt('KEY', ec(o)); }; }(); Wednesday, 25 September 13

this.decode = function() { var dc; return function(json, safe) {
if (!dc) { // setup decoding function on ﬁrst access dc = isNative() ? JSON.parse : doDecode; } try { return dc(json); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } }; }(); Wednesday, 25 September 13

this.decode = function() { var dc; return function(json, safe) {
if (!dc) { // setup decoding function on ﬁrst access dc = isNative() ? JSON.parse : doDecode; } try { return sjcl.decrypt('KEY', dc(json)); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } }; }(); Wednesday, 25 September 13

Overriding The Proxy -Provides more ﬂexibility -Doesn’t have a knock-on
effect across the rest of your app -Not all Proxies use JSON (e.g. SQL) Wednesday, 25 September 13

getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey
= this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue; if (!item) { return undefined; } rawData = Ext.decode(item); ... } return this.cache[id]; } Wednesday, 25 September 13

getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey
= this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue; if (!item) { return undefined; } rawData = sjcl.decrypt('KEY', Ext.decode(item)); ... } return this.cache[id]; } Wednesday, 25 September 13

setRecord: function(record, id) { ... try { obj.setItem(key, Ext.encode(data)); }
catch(e){ this.ﬁreEvent('exception', this, e); } record.commit(); } Wednesday, 25 September 13

setRecord: function(record, id) { ... try { obj.setItem(key, sjcl.encrypt('KEY', Ext.encode(data)));
} catch(e){ this.ﬁreEvent('exception', this, e); } record.commit(); } Wednesday, 25 September 13

W3C Web Cryptography Working Group Wednesday, 25 September 13

Hybrid App Containers -Filesystem storage -Data Storage Options Wednesday, 25
September 13

PhoneGap - Hardware Encryption - limited by platform - Use
SQLLite Plugin - SQLCipher - Open Source - 256-bit encryption - http://brodyspark.blogspot.co.uk/ - Don’t store the key - derive from users password Wednesday, 25 September 13

RhoMobile -Similar to PhoneGap -Rhom Local Database -SQLite Database -SQLite
Encryption Extension (SEE) -All or nothing switch Wednesday, 25 September 13

Sencha Space -Secure data stores -Secured LocalStorage -Secure Files API
-Remove app access to make the data inaccessible Wednesday, 25 September 13

Remote Wiping Data -Use a mobile device management (MDM) suite
-AirWatch -Soti MobiControl -Sencha Space Wednesday, 25 September 13

Questions? Wednesday, 25 September 13

Securing Client-Side Data

Securing Client-Side Data

Andrew Duncan

More Decks by Andrew Duncan

Other Decks in Programming

Featured

Transcript