6

I would like to encrypt some user data before it's sent to the server. That is, the data will be encrypted on the client side in browser using JavaScript.

My question is, what options are available for storing private keys on the client side (it will be used for decrypting the data when user views it later on)?

HTML5 local storage or just reading local text file containing the key from JavaScript seems a bit off... Is it possible to use personal certificates for this purpose? Or is there any other option?

EDIT:

Slight clarification,

All the sensitive data that needs to be encrypted is generated on the client machine and it should never leave it in plain-text. The data in question is mostly files which user will upload to the server, however we might want to encrypt some form fields as well in the future.

Once the encrypted data is sent to server it is stored in ciphered form and will never be decrypted anywhere else other than the same client machine. For example if the user decides to download his files back, he will receive encrypted files which will be decrypted in browser using JavaScript.

Also it's crucial for us that the Public-Private key pair is generated on the same client machine. This will be done only once manually by the user or with the help of some automated solution.

Bottom line is, private key nor plain-text data should ever leave client's machine.

orom
  • 851
  • 1
  • 10
  • 22
  • 1
    You don't need an private key for encrypting, just the public one. – Alex H Feb 06 '15 at 11:18
  • @AlexanderH Indeed the data will be encrypted using public key (which is stored on the server), however it needs to be decrypted later on, when for example, user wants to view it. Hence the need to store the private key client-side in browser. – orom Feb 06 '15 at 11:32
  • Then you need a secound pair of keys, i would say. Eveything else is like using no key – Alex H Feb 06 '15 at 11:43
  • 1
    Why do you think `localStorage` is not a good idea? – Artjom B. Feb 06 '15 at 11:48
  • @AlexanderH Why two pairs of keys? Key pair will be generated on the client machine and the private key will never leave it. Only the public is sent to the server mostly because some data will need to be encrypted server side as well. Mutual authentication will be handled separately from all this. – orom Feb 06 '15 at 12:19
  • @ArtjomB Frankly I am not sure how to store it initially in the localStorage since it's domain specific and the private key will be generated on the client machine and should never leave it, that is I can't receive it from the server and store it. I was hoping for a more standardized way I guess, perhaps using personal certificates installed in browser, which will easier installation wise for the user, but can't seem to find any information regarding this. – orom Feb 06 '15 at 12:23
  • @orom Client certificates are usually used for user authentication and nothing more, because a signature is generated with a private key which can be verified with the corresponding public key at the server. I guess you have to clarify where data is generated, who has to see it and who has to communicate with each other. – Artjom B. Feb 06 '15 at 12:32
  • @ArtjomB Thanks for the remarks, I've updated OP. – orom Feb 06 '15 at 12:58

1 Answers1

7

According to your description the data in files and form fields should only ever be used on the client. There is simply no need to use public-key-encryption in this case. You should use a symmetric block cipher like AES to encrypt this data and send it to the server. The single random symmetric key will be generated in the client browser and stored in localStorage possibly protected by a password (e.g. second layer of AES). The AES key is 128/192/256-bit long binary string and it should never leave the client browser.

I think localStorage is the only viable option, because it is implemented by all modern browsers.

There may be other solutions like browser plugins or even a custom browser, though.

Artjom B.
  • 61,146
  • 24
  • 125
  • 222