问题
I was wondering if these is some kind of technique so persist sensitive data out of a web app. I know that you should never store sensitive data in the local storage or cookies.
When logging in a website a browser usually asks if it should persist you username and password. Where is it stored? How secure is it? And the most important question, can you access it using javascript / browser built-in functions?
My Scenario: I generate an rsa key pair once (I know random of javascript isn't that good) and need to persist my private key in a secure place in the browser, so in the next session I can access it and decrypt some data.
Thanks in advance
回答1:
It is recommended to do basic threat analysis. It helps to recognise what attack vector take into account and then you can choose the right method of protecting the key. There are several possibilities of key protection. See following examples:
- you can rely on browser origin policy and assume your JS code as trusted and store the key in localstore - key is not protected from an adversary having access to the user profile
- you can let the user enter reasonably strong password each time then private need to be accessed and store the key using password based encryption and then the encrypted private key can be stored anywhere (localstore, cookie) - an adversary capable of accessing user password is able to get the key
- you can create private key encryption key by combining user password and some secret sent by server after successful authentication of the user -
来源:https://stackoverflow.com/questions/18030684/persist-sensitive-data-in-browser-possible