Storage data with encryption


#1

Currently i test the Electron Framework for an banking app.

So i need to encrypt the storage with an password.
Does anyone knows an npm package or how i can realize this?

thanks


#2

What do you mean by storage? Are you talking about localStorage and such?


#3

yes localstorage save bank transfers account informations and so on


#4

I’m not really a security guy, but I’ve seen lots of article pointing to cryptojs. I also found this proof of concept, FWIW:


#5

Most security experts say that any encrypting inside of javascript is useless. It is very easy to hack. Stanford published an encryption package for javascript and even they admit it isn’t secure.


#6

this is confusing because what is the different between js and other languages its all about math or?


#7

It’s not the language, it’s the delivery system, and to a degree the running environment. A man in the middle can easily modify the code. And the person at the keyboard can modify it. The source cannot be hidden, only obfuscated.

On the server the code can be protected against modification with the exception of a break-in and if there is a break-in all bets are off anyway.


#8

Isn’t the point of encryption to create an encrypted file (or other storage), and then nobody can access the data? Of course, if someone enters the passphrase for decryption into a program, then that program can decrypt and thus access the data. Of course, if the program isn’t trustworthy, you have a problem.

But why is a local program in JS less trustworthy than a local program in Python, say?


#9

As I said before it’s not the language. It’s the environment. When I said javascript was not secure I meant the delivery process and run-time environment can be hacked.

Other experts agree with the security firm that wrote this: http://matasano.com/articles/javascript-cryptography/

I guess if you had the code delivered via courier, and your PC was secure against bad-guys logging in, then the data could be secure. I was assuming web delivery of javascript.

There is talk of signing the javascript code so it can’t be modified, but that has been proven to not be secure also.

Edit: I’m not a security expert but I would assume the modified code would grab the data after the user decrypted it.

Edit Edit: Or more likely it would add a tiny flaw to the encryption code so the data wasn’t safely encrypted.

Edit Edit Edit: I should mention that using javascript encryption on the server is secure, assuming the server isn’t hacked.


#10

This is a post in the “electron” forum, so I’m assuming that the OP is building an app using this framework, and that the app contains some JS files that do encryption.

Yes, if the app renders an HTML file that loads JS over the network, then everything what you say applies. But I assumed that his app wouldn’t do that – most Electron apps don’t do that I guess.


#11

Yes i mean only an local installed program like hibiscus or ioutbank as example.


#12

It is probably still delivered over the net. In any case, if the user uses a tool to verify a public signature (on download and updates) and the user manually enters the password on every usage of the data, then it would probably be secure.

I may seem to be pedantic, but I’m using the term “security” in the sense of impossible to hack, not hard to hack. There are two rules in security, don’t try to code it yourself, and make the sure the source is publicly available for scrutiny.


#13

umm maybe to explain this if u do some encryption in php for example the client never know how is decrypted the information u only pass the passphrase an the server do the work.

In javascript for example and in local storage ur client need to have the decryption process to read the data, this means that some one can try to find this process in javascript files to know how the encryption work and try to read the data.

i don’t know if this help u


#14

Just like PGP, LUKS, Enigmail, Threema, ssh, openssl, … Or have you installed any of these by physically visiting the author and copying things onto a USB stick?

I’m sure you have a point, I’m just too thick to get it. So I’m trying to provoke an explanation that works even for me…


#15

You don’t have to. Downloading and checking a public signature will do. I described what I thought would be secure.

I should have just pointed out that if you download an Electron app and run it without the signing precautions then the javascript app would be exactly as insecure as a web page. Being locally-installed changes nothing in regards to actual security, even if it makes it harder to hack. This is what I meant. I apologize for confusing things.


#16

@boonkerz, Are you still looking for an encrypted local storage? I wrote a password manager app 2-3 years back that I’m planning to opensource. As part of that I had implemented an encrypted dictionary (to store passwords and other stuff) which would probably work for you. If you’d like we can have a discussion out of band. I am untrix on github.


#17

Why not use the default WebCrypto API that comes with the Chrome browsers? (http://www.w3.org/TR/WebCryptoAPI/)