I am building a React.JS application that is supposed to encrypt and decrypt data.
I'm using the subtlecrypto api to create RSA key pairs. I want to store them, preferably in the browser, in a way the user can re-use them when he returns to the site.
I absolutely do NOT want to store them in any kind of server or online storage, because that would defeat the purpose of the whole exercise.
Is there a dedicated facility to store secrets like that? If not, what is the most secure option available?
Related
The idea is to use public/private key cryptography to store encrypted data that only a user with biometric login can access it.
I 'm successfully using WebAuthn and this library to login and I store the credential ID and a public key. Now, as I read, I can't use this to encrypt data because I can't have the WebAuthn API decrypt it, its only used for authentication.
The question is, can I protect local browser storage with WebAuthn? If so, I could use window.crypto.subtle.generateKey to generate a RSA key, store the private locally and protect it with WebAuthn, then reuse it when necessary.
Best,
The closest thing would be to use the PRF extension that's in the draft of WebAuthn level three. However, it is not yet supported in any browser nor by any platform authenticator I'm afraid. (Although many FIDO2 security keys support the underlying hmac-secret extension to CTAP2.)
I've been working on a authorization service. It's a somewhat complex project, so I think it'll look good on a portfolio, but also it is a way to remove the reused code for every app I build. Just one central app where users are created, edited, allowed to set up security preferences and select what information to share. Users can have an account on my auth app, and share some info with other apps.
So not only do I have a create users, I've also given them the ability to create organizations and control certain requirements for auth on their apps, as well as create roles for users that have created an account on their app. This is where I'm having some issues. I'm using access and refresh tokens, rsa key pairs and jwts to authenticate each users on my site, but when creating an organization, I want to allow users to have multiple organizations if they want, and each organization should have it's own set of keys. While each individual org can set up their own authorization implementation after obtaining user info, they can only get that user info from the authorization server if they have the key associated with that app.
My problem is I don't know how I should implement this. I feel like I'll have to generate rsa keys, save one key to a database and have the organization save the other as a env variable. But should I save the public key to a db or the private? How do I even save a pem file to a db without changing the value? I'm just a bit lost on how this process can be accomplished with security in mind, but also while being dynamic. If I have to store private keys in my db then I'm very concerned about security as well. Can anyone break this down for me?
TLDR: trying to make google style universal login, need help storing and verifying rsa keys for organizations.
I'm building a website on Django 3.2 using postgres 14 as database.
I will call cloudflare API on behalf of the user using the user's CloudFlare API key.
Given that the API key is sensitive, I wanted to have the user type in a webform and encrypt it before sending it back to my backend to be decrypted.
I read about libsodium (See how do I encrypt data? I used cached because for some reason the website is temporarily down)
And I understand that github themselves use it for github secrets so I guess what's good enough for github is good enough for me.
However, I am confused about the workflow.
Because even for crypto_secretbox_easy there's still a need for key. How do I share the key between the frontend form (in HTML and javascript) and the backend server (python)?
I am likely to use libsodium.js for the javascript and pynacl for python.
My related questions scneario-wise are:
suppose the user key in the cloudflare API key in the form, so when they submit the form, what's submitted in the payload will be the encrypted version of the API key, the backend simply takes that and stores it in the database specific to that user. Is this correct?
suppose when the time comes, the user initiates a command where i need to perform an action in cloudflare on their behalf. So my python code will fetch the encrypted API key from the database and decrypt it and then calls CloudFlare API using that API key. Is this correct?
Suppose after the user submitted the cloudflare API key in the form in scenario 1, and subsequently revisits the same form, do I decrypt the API key and show it to the user in the form as value to the input text element? Or it's safer I show only the last 4 characters of the plaintext of the original API key and the rest as asterisk.
If the user still wants to change the API key, they can. And the process will be as per scenario 1. Is this right?
In all 3 scenarios, I am unsure how and where to generate and store the nonce and related keys.
I am also unsure whether to use public keys or secret key encryption.
Thank you
How to hash/encrypt string value in JavaScript? I need a mechanism to do so for hiding some data in localStorage/cookie?
It is something related to security concern but I want some protection for my data.
There are lots of encryption libraries for javascript. Here's the first one that came up on Google: http://crypto.stanford.edu/sjcl/
Your user can always gain access to the key, so this won't protect data from your user. If you want to hide things from the user, you'll have to encrypt it on the server and never send the key to the client.
Users are sending messages to each other and publish private information for other users via rails app.
The goal is to secure the messages, so neither system admins, nor database leaks won't be able to compromise the data. Javascript client side encryption with recipient key, encrypted data is stored in the database and decrypted on recipient's side. Keys are not stored in the system.
Does is make sense? Is there a solution?
Thanks a lot!
Update: I mean asymmetric cryptography. Two keys for each user: one public for encryption, one private for decryption. And a password for the application itself. User logs in using his password, creates a message, which is encrypted client side with a recipients public key (stored in the system) and saved in the database. Recipient logs in using his password, then enters his private key to decode messages. Decryption is also client side, private key is not sent to the server.
Sure. Use this http://crypto.stanford.edu/sjcl/.
Especially look at the demo http://bitwiseshiftleft.github.com/sjcl/demo/
One thing to keep in mind, the only way for you to not store the keys is for the user's to derive them from a password ( which should not be the one they use for your site). This is fine and is what the above library does.However,if they forget the password, there is no helping them,
On the client side, you can use openpgp.js. It's legit easy to use lib for creating keys, signing, encryption/decryption, etc.
Might be one of the solutions.The jsbn library is a fast, portable implementation of large-number math in pure JavaScript, enabling public-key crypto and other applications on desktop and mobile browsers.
http://www-cs-students.stanford.edu/~tjw/jsbn/
RSA Cryptography Demo http://www-cs-students.stanford.edu/~tjw/jsbn/rsa2.html