javascript - How to store RSA private keys in the client's browser for better UX? -


i planning on writing web-based password management software, in order provide sharing , permissions functionalities within team groups , members.

edit:

as mentioned below luke park, wanted add using user-password authorisation tokens (which expire). token provided on authorised api calls making these calls accessible registered users. , yes, application wrapped ssl making communication between server , client more secure.

end of edit

currently have done lot of research finding correct pattern handling password encryption. pattern looking @ called hybrid encryption since works multiple clients , can implemented securely. here's how implement pattern in application logic:

client wants create password

  1. andre creates password , provides password plain text
  2. the frontend app generates symmetric key called session key
  3. the client encrypts plain password session key
  4. andre chooses share password bob
  5. the client retrieves bob's public key server application via rest
  6. the client encrypts session key bob's public key
  7. client transfers encrypted session key , encrypted password server

server application handles password submission

  1. the server application encrypts data private salt, known server application
  2. sever stores data database

retrieving shared passwords

  1. bob requests andre's shared password
  2. server decrypts requested dataset private salt , sends client
  3. the client decrypts session key using bob's private key (which provided bob's computer)
  4. using decrypted session key, client can decrypt password (now can copied example)

so far, see pattern secure enough, since private keys of clients not public , visible clients. in order implement in web-based application, found openpgpjs.org can generate public , private keys on client side , encrypt or decrypt data aswell using these keys. on top of that, private key strings can protected secret passphrase.

my question is, how can implement private key file frontend application without messing user experience? don't want force user manage private key manually , force him provide key on each password request. secure store private key file browser's local storage , private key local storage on each password request?

you still have no way verify clients , server. because can publicly request public keys, easy mitm between client , server, , feed garbage arbitrary password.

consider:

  • attacker retrieves bob's public key using rest.
  • attacker generates own "session key" , encrypts arbitrary value.
  • attacker feeds result client, has been man-in-the-middled.
  • client thinks has received correct password, hasn't.

without being able verify , authorize both server , client, system becomes easy mess with. may not seem huge problem, can make way other attacks.

edit: noticed if mitm occurs between client , rest api, attacker can feed client public key paired private key attacker owns.

consider:

  • client share it's password server.
  • client contacts rest api (mitm attacker) pull bob's public key.
  • attacker supplies public key.
  • client generates session key , ciphertext of password.
  • client sends result "server" (the attacker).
  • attacker uses private key retrieve session key.
  • attacker uses session key retrieve plaintext password.

Comments

Post a Comment

Popular posts from this blog

get url and add instance to a model with prefilled foreign key :django admin -

Image
i have page in each contest shown in row. each row contains contest id , link other model names have foreign key contest. news model: class news(models.model): title = models.charfield(max_length=50, null=true) description = models.textfield() time = models.timefield( default= datetime.datetime.now().time()) contest = models.foreignkey(contest) i want use admin adding , changing these models. want when user clicks on 'news' has foreign key contest id=1, shows list of news value foreign key. use {% instance in instances %} <tr class="{% cycle 'row1' 'row2' %}"> <td>{{ instance.title }}</td> <td>{{ instance.starttime }}</td> <td>{{ instance.timespan }}</td> <td>{{ instance.date }}</td> <td><a href="/adm...
Read more

android - Keyboard hides my half of edit-text and button below it even in scroll view -

i having trouble keyboard covers edit-text , half of button in scroll view. here's layout , please tell me how should resolve problem. many questions on topic none of them s working me. <?xml version="1.0" encoding="utf-8"?> <linearlayout xmlns:android="http://schemas.android.com/apk/res/android" android:layout_width="match_parent" android:background="@drawable/bg" android:layout_height="match_parent"> <scrollview android:layout_width="match_parent" android:fillviewport="true" android:layout_height="match_parent"> <relativelayout android:layout_width="match_parent" android:layout_height="wrap_content" android:orientation="vertical"> <linearlayout android:layout_width="match_parent" android:layout_height="w...
Read more

css - Make div keyboard-scrollable in jQuery Mobile? -

from can tell, although jquery-mobile-powered pages can contain divs overflow set scroll or auto, , these divs can scrolled one-screen bar or mouse wheel, cannot scrolled using arrow keys, page-up/page-down, or home/end. instead, official "page" div (with data-role="page") absorbs input. perhaps other divs can't acquire focus, i'm not sure. is there way around this? edit: jsfiddle of simple example: https://jsfiddle.net/qogz0shx/ <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script> <script src="https://ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script> <link rel="stylesheet" href="https://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.css"/> <style> #outer { overflow:scroll; height: 50vh; width: 50vw; } #inner { height: 500vh; width: 500vw; } ...
Read more