3

I would need to encrypt the some content before saving it on local storage in html5 and JS, at the moment I use Stanford Javascript Crypto Library.

At the moment I use a code like this.

usernameEnc = sjcl.encrypt("password", username);
passwordEnc = sjcl.encrypt("password", password);
localStorage.username = usernameEnc;
localStorage.password = passwordEnc;

I am able to encrypt correctly. As I am building a HTML5 application with JS and the JS code is download in the client, how can I protect the PASSWORD for avoiding easily decrypt the script?

Maybe I miss the point I am little puzzled.

GibboK
  • 71,848
  • 143
  • 435
  • 658
  • 2
    If you want to keep the password a secret, you either have to ask the user to provide their own, or do the encryption and decryption on your server instead of in the browser. – robertklep Mar 05 '13 at 09:24

1 Answers1

4

Unfortunately, there is no way for you to protect your key. It's JavaScript and it should somehow be downloaded to be executed in the browser. You can obfuscate the key to make it a little hard but someone with average knowledge would be able to break it.

What I would suggest doing is that you can encrypt the contents using the user's password. So every time the user should enter the password to decrypt the contents.

Don't use the users password just as it is. Use a key derivation function such as PBKDF2. There's a JavaScript implementation for PBKDF2 in the crypto-js library.

Anyway something that you ought to know is that if your application can read it in the client side, someone determined can read it too no matter how hard you try to protect it.

Henrik Aasted Sørensen
  • 6,966
  • 11
  • 51
  • 60
Ranhiru Jude Cooray
  • 19,542
  • 20
  • 83
  • 128