HTML5 Client Side Data Encryption - What are my options?

Question

I am working on a EDIT: mobile web app which displays some sensitive information and requires a login which stores the members username and password in a HT

Answer 1

I work on an application that faces the same problem. Security is important for this application because it allows users to build personal trees (or nested lists) and to store them on the cloud.

My solution is to encrypt the password stored on the client side with another password generated by the server for each user.

Answer 2

For anyone stumbling upon this question, Stanford has a crypto project over at http://crypto.stanford.edu/sjcl/. I have not used it myself in production, but am busy investigating it and so far it looks promising. Hope this helps someone.

Answer 3

Was researching this topic myself recently. I think by now we do have some proven JS encryption libraries see here and here.

Now the question is where to store the key. Storing it on the client side would be the same as storing the data with no encryption at all. And having the user enter the key all the time would defeat the purpose.

Maybe you could ask your server to generate a new key whenever you create a new session. (Make sure to use HTTPS when making this request). If the session expires, the user has to enter username/password again and it would be encrypted using the new token. To decrypt the key you have to make a (secure) request to your server (passing in your session id) to request the key, which then can be used to decrypt username and password.

Now this still leaves open the usual vulnerabilities such as cross side scripting or session hijacking, but at least the user password is not stored in clear text on the client side.

What do you think?

---