-2

I save information in local storage and I want to make sure the user didn't replace the data or had fun with it.

The client receive an object, javascript analyse it, do it's thing and store some of it in the browser's local storage.

The data is sent to the server every 30 seconds and the server replies by another object, based on the previous data sent.

The process happens often so it would be preferable to avoid sending the server tons of data and make heavy query to verify the integrity.

I know Javascript in the client is prone to debugging, reverse engineering etc. But it would definitely add a layer of security so at least some people wouldn't bother. (Security through obscurity)

My initial thought was to make a checksum of the value I want to store, send it to the server and compare it to the checksum stored. If the result mismatch, dismiss the data on the client-side. I think it would be preferable to avoid storing in database and be able to check if it's legit with some function.

I would prefer if the data stored would look like a token (like a signed or encrypted base64 string) rather than raw data as it would leak some information about how the code works and may make it vulnerable.

Is there libraries or method of doing so that could help me in my journey?

HypeWolf
  • 750
  • 12
  • 29
  • 1
    As you say, all you can do would be "security by obscurity" which is no security. If the client signs the data, you can't control what data the client signs. – Gamification Jan 20 '19 at 21:18
  • I guess I need to come up with something myself. You are right, I didn't think of that :) Thanks @Gamification – HypeWolf Jan 20 '19 at 21:19
  • 2
    This may help - https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest – Matthew Page Jan 20 '19 at 21:19
  • 1
    @MatthewPage nothing prevents the user to modify the data and create a new digest – gusto2 Jan 21 '19 at 09:36

1 Answers1

1

Is it possible to sign/encrypt data on the client-side to ensure it was not manipulated by the user?

Short aswer - No, it is not possible.
Long answer - Any message authentication code (signature, hmac, ..) requires a secret value. As soons as you do the signing on the client side throuhg JavaScript, there is no way you can prevent the user to access the secret or modify data.

Take in account the user even may modify the application to change the client-side validation. Long story short - never trust user's input, you have to always validate data on the server side.

Suggestion - you may send the data to a server service and the server could sign/hmac the data. The same way you could validate the data integrity.

But it would definitely add a layer of security so at least some people wouldn't bother. (Security through obscurity)

In my opinion - it doesn't matter much. If the user doesn't care, he won't modify the data. If you have a dedicted user, no level of obfuscation will stop him.

I would prefer if the data stored would look like a token (like a signed or encrypted base64 string)

Nothing prevents you to do so.

gusto2
  • 11,210
  • 2
  • 17
  • 36
  • Thanks for this detailed answer. I could find a way to make the server sign a part of the data. I need a rubber duck :). – HypeWolf Jan 22 '19 at 02:16