Secure browser-based storage on an untrusted server?
- From: lee.reeves@xxxxxxxxx
- Date: 14 Apr 2006 15:31:46 -0700
Background: I don't know if this is the right newsgroup for this, but
I'm trying to develop a secure online storage application for small
strings, like passwords and PINs. This started as a project for my own
use, because I couldn't find an existing site that I would trust, but I
decided to make it public and open-source for anyone who might be
interested in using it (www.iwhisper.info).
Standard encryption algorithms like AES solve the mathematical
challenges of secure storage (I'm using open source Javascript
implementations of AES and SHA-256 written by others, which pass
standard test vectors).
But that leaves the technical and social challenges of making a public
site trustworthy and secure, without relying overly on trust for the
server and anyone who might be able to access it (myself, my web host,
hackers, ...?).
Is this an appropriate place to discuss these issues? Such as:
1) Javascript is distributed by the server, so an attacker who gained
access to the server could replace the encryption code with code that
gives him total access to user's data.
2) Methods for securely updating data or removing it from the system,
which require the user's private key without transmitting that key to
the server.
3) Methods for securely and conveniently storing the user's private key
on the client computer (cookies?).
.
- Follow-Ups:
- Re: Secure browser-based storage on an untrusted server?
- From: Joseph Ashwood
- Re: Secure browser-based storage on an untrusted server?
- Prev by Date: Re: authentication (SRP*, DH, TLS)
- Next by Date: Re: LibTomCrypt ASN.1...
- Previous by thread: Blum vs. Isaac
- Next by thread: Re: Secure browser-based storage on an untrusted server?
- Index(es):
Relevant Pages
|
