3

I would need to encrypt the some content before saving it on local storage in html5 and JS, at the moment I use Stanford Javascript Crypto Library.

At the moment I use a code like this.

usernameEnc = sjcl.encrypt("password", username);
passwordEnc = sjcl.encrypt("password", password);
localStorage.username = usernameEnc;
localStorage.password = passwordEnc;

I am able to encrypt correctly. As I am building a HTML5 application with JS and the JS code is download in the client, how can I protect the PASSWORD for avoiding easily decrypt the script?

Maybe I miss the point I am little puzzled.

Improve this question
1
  • 2
    If you want to keep the password a secret, you either have to ask the user to provide their own, or do the encryption and decryption on your server instead of in the browser. Commented Mar 5, 2013 at 9:24

1 Answer 1

Reset to default
4

Unfortunately, there is no way for you to protect your key. It's JavaScript and it should somehow be downloaded to be executed in the browser. You can obfuscate the key to make it a little hard but someone with average knowledge would be able to break it.

What I would suggest doing is that you can encrypt the contents using the user's password. So every time the user should enter the password to decrypt the contents.

Don't use the users password just as it is. Use a key derivation function such as PBKDF2. There's a JavaScript implementation for PBKDF2 in the crypto-js library.

Anyway something that you ought to know is that if your application can read it in the client side, someone determined can read it too no matter how hard you try to protect it.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

SSL could be used to protect the code running in the browser, so that would include the password.
@owlstead: Yes, it will protect while it's transferred between the server and the browser.
We will have to wait for w3.org/2012/webcrypto the W3C specification and how it deals with the underlying operating systems KeyStore to be resolved.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.