I am working on an offline SPA app (which will obviously use only local files) which has my main data, a large array of strings, stored in a js file that is loaded with the page. The data is UTF8 (Khmer). I am looking for a way to create a cipher so that the text can be stored in the array in this js file relatively securely. Then, I need to decrypt the strings on the fly using an algorithm that the user cannot 'crack' just by looking at the js source, i.e. I need to hide the algorithm. I know this a broad question, but seeing I am working offline, I can't have access to local files (which could be easily encrpyted) using js. Thanks for any help.
-
Not possible with software. Not even possible with hardware, if the attacker (user) has access to it. This question might have a meaningful answer if you gave some sort of parameter for how hard/expensive you want to make it for the attacker.user684934– user6849342012-09-12 08:46:03 +00:00Commented Sep 12, 2012 at 8:46
-
I want only to keep 'honest' attackers from easily extracting the real data. That's all. This isn't national security info.preahkumpii– preahkumpii2012-09-12 08:49:20 +00:00Commented Sep 12, 2012 at 8:49
-
If your program can decrypt it, everyone can. It's like DRM: It can not work.PiTheNumber– PiTheNumber2012-09-12 08:52:21 +00:00Commented Sep 12, 2012 at 8:52
Add a comment
|
3 Answers
Encrypt the data with whatever key and algorithm you like. Obsfucate your js code with one of many, many obsfucators out there.
Note that anyone who can read js code and can run a prettifier script will be able to figure out what you're doing and extract the data himself, but that's about as far as you can get with just software.
An extra hurdle for the attacker could be made if you store the key off-site (ie, your own server), which the client requests and retrieves at run-time. The attacker can find the key easily using a packet sniffer and turning on the program, but that's one extra step in your "security by this is not worth my time."
3 Comments
PiTheNumber
The attacker just loads the page and get the decrypted data from your own function.
preahkumpii
That's helpful. @PiTheNumber This is true. I am trying to decide if this meets the threshold of (non-)security I want :-).
@PiTheNumber Sure, that's my point. You can obsfucate your code but if it's running on the local machine, there's no way to "protect" it from anyone who really wants to see it. You can, however, make it a pain in the ass to look at unless the attacker has 10 minutes to spare finding and installing the right tool to make it easy again.
You can not hide the key but you can ask the user for a password. Starting from there you can use a encryption library to decrypt your data. E.g:
1 Comment
preahkumpii
I intended the process to be completely hidden from the user. It is only intended to prevent easily harvesting the data from the source js file. I would be perfectly happy to just use something similar to a caesar cypher, but I don't know how to hide the function to decypher it from the user.
You can make your code unreadable using a tool like javascriptobfuscator or this.
It's not secure but it buys you a few minutes till the attacker decodes it.