javascript - Client side data encryptiondecryption for rails application - Stack Overflow

admin管理员组

文章数量:1023585

Users are sending messages to each other and publish private information for other users via rails app.

The goal is to secure the messages, so neither system admins, nor database leaks won't be able to promise the data. Javascript client side encryption with recipient key, encrypted data is stored in the database and decrypted on recipient's side. Keys are not stored in the system.

Does is make sense? Is there a solution? Thanks a lot!

Update: I mean asymmetric cryptography. Two keys for each user: one public for encryption, one private for decryption. And a password for the application itself. User logs in using his password, creates a message, which is encrypted client side with a recipients public key (stored in the system) and saved in the database. Recipient logs in using his password, then enters his private key to decode messages. Decryption is also client side, private key is not sent to the server.

Users are sending messages to each other and publish private information for other users via rails app.

The goal is to secure the messages, so neither system admins, nor database leaks won't be able to promise the data. Javascript client side encryption with recipient key, encrypted data is stored in the database and decrypted on recipient's side. Keys are not stored in the system.

Does is make sense? Is there a solution? Thanks a lot!

Update: I mean asymmetric cryptography. Two keys for each user: one public for encryption, one private for decryption. And a password for the application itself. User logs in using his password, creates a message, which is encrypted client side with a recipients public key (stored in the system) and saved in the database. Recipient logs in using his password, then enters his private key to decode messages. Decryption is also client side, private key is not sent to the server.

• javascript
• ruby-on-rails
• security
• encryption

Share Improve this question Follow edited Jul 16, 2012 at 13:43 Elder asked Jul 16, 2012 at 11:38 ElderElder 44755 silver badges1717 bronze badges 8

• Only problem I see: if the keys are not stored in the system, how does the client keep hold of them? Local storage? Then I couldn't log into the system from two puters (or even browsers). Just a simple password? There's a danger of it being brute-forced. ... – Joachim Sauer Commented Jul 16, 2012 at 11:41
• @JoachimSauer I ment asymmetric cryptography. Public key can be stored in the system, because it cannot be used for decryption. Question updated – Elder Commented Jul 16, 2012 at 13:45
• still, how will the client get (or keep) the private key? It will still need it to decrypt the data. – Joachim Sauer Commented Jul 16, 2012 at 13:53
• @Elder Joachim's argument sill holds. You have to store the private key. – Stefan Commented Jul 16, 2012 at 13:59
• Regarding update: so you want the user to "enter" the private key? As in "type in"? Those things are not exactly easy to remember, let alone type in correctly. – Joachim Sauer Commented Jul 16, 2012 at 14:19

 |  Show 3 more ments

3 Answers 3

Sorted by: Reset to default 3

Sure. Use this http://crypto.stanford.edu/sjcl/. Especially look at the demo http://bitwiseshiftleft.github./sjcl/demo/

One thing to keep in mind, the only way for you to not store the keys is for the user's to derive them from a password ( which should not be the one they use for your site). This is fine and is what the above library does.However,if they forget the password, there is no helping them,

On the client side, you can use openpgp.js. It's legit easy to use lib for creating keys, signing, encryption/decryption, etc.

Might be one of the solutions.The jsbn library is a fast, portable implementation of large-number math in pure JavaScript, enabling public-key crypto and other applications on desktop and mobile browsers.

http://www-cs-students.stanford.edu/~tjw/jsbn/

RSA Cryptography Demo http://www-cs-students.stanford.edu/~tjw/jsbn/rsa2.html

Users are sending messages to each other and publish private information for other users via rails app.

The goal is to secure the messages, so neither system admins, nor database leaks won't be able to promise the data. Javascript client side encryption with recipient key, encrypted data is stored in the database and decrypted on recipient's side. Keys are not stored in the system.

Does is make sense? Is there a solution? Thanks a lot!

Update: I mean asymmetric cryptography. Two keys for each user: one public for encryption, one private for decryption. And a password for the application itself. User logs in using his password, creates a message, which is encrypted client side with a recipients public key (stored in the system) and saved in the database. Recipient logs in using his password, then enters his private key to decode messages. Decryption is also client side, private key is not sent to the server.

Users are sending messages to each other and publish private information for other users via rails app.

The goal is to secure the messages, so neither system admins, nor database leaks won't be able to promise the data. Javascript client side encryption with recipient key, encrypted data is stored in the database and decrypted on recipient's side. Keys are not stored in the system.

Does is make sense? Is there a solution? Thanks a lot!

Update: I mean asymmetric cryptography. Two keys for each user: one public for encryption, one private for decryption. And a password for the application itself. User logs in using his password, creates a message, which is encrypted client side with a recipients public key (stored in the system) and saved in the database. Recipient logs in using his password, then enters his private key to decode messages. Decryption is also client side, private key is not sent to the server.

• javascript
• ruby-on-rails
• security
• encryption

Share Improve this question Follow edited Jul 16, 2012 at 13:43 Elder asked Jul 16, 2012 at 11:38 ElderElder 44755 silver badges1717 bronze badges 8

• Only problem I see: if the keys are not stored in the system, how does the client keep hold of them? Local storage? Then I couldn't log into the system from two puters (or even browsers). Just a simple password? There's a danger of it being brute-forced. ... – Joachim Sauer Commented Jul 16, 2012 at 11:41
• @JoachimSauer I ment asymmetric cryptography. Public key can be stored in the system, because it cannot be used for decryption. Question updated – Elder Commented Jul 16, 2012 at 13:45
• still, how will the client get (or keep) the private key? It will still need it to decrypt the data. – Joachim Sauer Commented Jul 16, 2012 at 13:53
• @Elder Joachim's argument sill holds. You have to store the private key. – Stefan Commented Jul 16, 2012 at 13:59
• Regarding update: so you want the user to "enter" the private key? As in "type in"? Those things are not exactly easy to remember, let alone type in correctly. – Joachim Sauer Commented Jul 16, 2012 at 14:19

 |  Show 3 more ments

3 Answers 3

Sorted by: Reset to default 3

Sure. Use this http://crypto.stanford.edu/sjcl/. Especially look at the demo http://bitwiseshiftleft.github./sjcl/demo/

One thing to keep in mind, the only way for you to not store the keys is for the user's to derive them from a password ( which should not be the one they use for your site). This is fine and is what the above library does.However,if they forget the password, there is no helping them,

On the client side, you can use openpgp.js. It's legit easy to use lib for creating keys, signing, encryption/decryption, etc.

Might be one of the solutions.The jsbn library is a fast, portable implementation of large-number math in pure JavaScript, enabling public-key crypto and other applications on desktop and mobile browsers.

http://www-cs-students.stanford.edu/~tjw/jsbn/

RSA Cryptography Demo http://www-cs-students.stanford.edu/~tjw/jsbn/rsa2.html

本文标签： javascriptClient side data encryptiondecryption for rails applicationStack Overflow