我想知道这些是否是某种技术,因此将敏感数据保存在网络应用程序之外。我知道您应该从不在本地存储或Cookie中存储敏感数据。
I was wondering if these is some kind of technique so persist sensitive data out of a web app. I know that you should never store sensitive data in the local storage or cookies.
登录网站时,浏览器通常会询问是否持久化您的用户名和密码。它在哪里存储?它有多安全?最重要的问题是,你可以使用javascript / browser内置函数访问它吗?
When logging in a website a browser usually asks if it should persist you username and password. Where is it stored? How secure is it? And the most important question, can you access it using javascript / browser built-in functions?
我的场景:我生成一个rsa键对不是那么好),需要将我的私钥保存在浏览器中的安全位置,因此在下一个会话中,我可以访问它并解密一些数据。
My Scenario: I generate an rsa key pair once (I know random of javascript isn't that good) and need to persist my private key in a secure place in the browser, so in the next session I can access it and decrypt some data.
提前感谢
推荐答案分析。它有助于识别什么攻击矢量被考虑,然后你可以选择正确的方法来保护密钥。有几种关键保护的可能性。查看以下示例:
It is recommended to do basic threat analysis. It helps to recognise what attack vector take into account and then you can choose the right method of protecting the key. There are several possibilities of key protection. See following examples:
- 您可以依赖浏览器源策略,并假定您的JS代码为受信任的,并将键存储在localstore中 - 键不受保护以免访问用户个人资料
- ,您可以让用户每次都输入相当强的密码,然后私人需要访问,并使用基于密码的加密存储密钥,然后加密私钥可以存储在任何地方(localstore,cookie) - 能够访问用户密码的对手能够获取密钥
- 您可以通过组合用户密码和某些密钥来创建私钥加密密钥在用户成功认证后由服务器发送 -
更多推荐
在浏览器中保留敏感数据?可能?
发布评论