See this HTML5 Web DB Security

请参阅此HTML5 Web DB 安全性

client-side encryption libraries aren't mature or tested well enough

客户端加密库不够成熟或测试不够好

...but it's been a year ago, so that could be false already

……但那是一年前的事了，所以那可能已经是假的了

Hi instead of storing the username and password, can you not create some sort of "session" with the remote server and instead transmit an authentication token?

您好，您可以不与远程服务器创建某种“会话”，而是传输身份验证令牌，而不是存储用户名和密码？

Storing a username and password anywhere in the client side gives me the shivers.

在客户端的任何地方存储用户名和密码让我不寒而栗。

Perhaps of looking for ways of storing the username / password safely, look for ways of removing the need to store it at all.

也许寻找安全存储用户名/密码的方法，寻找完全不需要存储它的方法。

However of course I'm saying this without knowing the full background... I'm guessing there is a good reason to need to store the username / password.

但是，当然我是在不知道完整背景的情况下这么说的......我猜有一个很好的理由需要存储用户名/密码。

For anyone stumbling upon this question, Stanford has a crypto project over at http://crypto.stanford.edu/sjcl/. I have not used it myself in production, but am busy investigating it and so far it looks promising. Hope this helps someone.

对于任何遇到这个问题的人，斯坦福大学在http://crypto.stanford.edu/sjcl/ 上有一个加密项目。我自己没有在生产中使用它，但我正在忙于研究它，到目前为止它看起来很有希望。希望这可以帮助某人。

David Dahl, a Firefox engineer, has a prototype Firefox extension, domcrypt(repository on github), that provides Javascript access to Firefox's NSS (Network Security Services) APIs. Since Chrome also uses NSS, providing the same API is probably straightforward for it as well.

Firefox 工程师 David Dahl 有一个原型 Firefox 扩展domcrypt（github 上的存储库），它提供对 Firefox 的 NSS（网络安全服务）API 的 Javascript 访问。由于 Chrome 也使用 NSS，因此提供相同的 API 可能也很简单。

He's pushing Mozillato evolve it a bit more for eventual inclusion within Firefox; we'll see what happens.

他正在推动 Mozilla对其进行更多改进，以最终包含在 Firefox 中；我们会看看会发生什么。

Was researching this topic myself recently. I think by now we do have some proven JS encryption libraries see hereand here.

最近自己也在研究这个话题。我认为现在我们确实有一些经过验证的 JS 加密库，请参见此处和此处。

Now the question is where to store the key. Storing it on the client side would be the same as storing the data with no encryption at all. And having the user enter the key all the time would defeat the purpose.

现在的问题是在哪里存储密钥。将其存储在客户端与存储完全不加密的数据相同。让用户一直输入密钥会破坏目的。

Maybe you could ask your server to generate a new key whenever you create a new session. (Make sure to use HTTPS when making this request). If the session expires, the user has to enter username/password again and it would be encrypted using the new token. To decrypt the key you have to make a (secure) request to your server (passing in your session id) to request the key, which then can be used to decrypt username and password.

也许您可以在创建新会话时要求服务器生成新密钥。（请确保在发出此请求时使用 HTTPS）。如果会话过期，用户必须再次输入用户名/密码，并使用新令牌对其进行加密。要解密密钥，您必须向您的服务器发出（安全）请求（传入您的会话 ID）以请求密钥，然后该密钥可用于解密用户名和密码。

Now this still leaves open the usual vulnerabilities such as cross side scripting or session hiHymaning, but at least the user password is not stored in clear text on the client side.

现在这仍然存在常见的漏洞，例如跨端脚本或会话劫持，但至少用户密码不会以明文形式存储在客户端。

What do you think?

你怎么认为？

More recent browser versions should support Web Crypto API.

更新的浏览器版本应该支持 Web Crypto API。

1. See the live test page if you browser works
2. The w3c Webcrypto API description
3. Mozilla Developer Network Info on WebCrypto API

1. 如果您的浏览器工作正常，请查看实时测试页面
2. w3c Webcrypto API 描述3. WebCrypto API 上的
Mozilla 开发者网络信息

I work on an applicationthat faces the same problem. Security is important for this application because it allows users to build personal trees (or nested lists) and to store them on the cloud.

我正在开发一个面临同样问题的应用程序。安全性对于此应用程序很重要，因为它允许用户构建个人树（或嵌套列表）并将它们存储在云中。

My solution is to encrypt the password stored on the client side with another password generated by the server for each user.

我的解决方案是用服务器为每个用户生成的另一个密码对存储在客户端的密码进行加密。

Storing sensitive user credentials are really not a good design. Instead generate a authenticated token from server using, say, sprint framework. You can then store the same in localstorage using the Web DB Security module.

存储敏感的用户凭据确实不是一个好的设计。而是使用例如 sprint 框架从服务器生成经过身份验证的令牌。然后，您可以使用 Web DB 安全模块将其存储在 localstorage 中。

I have to say if your creating a session data 1 is that not,- stored on the server not client side thus no one sees the session data or at least it should be done that way via asp, or php, ect so have the app require internet and retrieve the info from a web server and don't store it on the client side. 2 if this does deal with client side like dealing with streaming a video, or images or you have to create some files on the client side storing the key on the clients mobile device is the only way. Thus either have the key with a short ttl to decrypt the data, the key given through some form of authentication or certificate, or a key installed from your main office and encrypt the device in case they loose it. I not found and encrypt function I like to suggest yet for you.

我不得不说，如果您创建的会话数据 1 不是，则存储在服务器上而不是客户端上，因此没有人看到会话数据，或者至少应该通过 asp 或 php 等方式完成该应用程序需要互联网并从网络服务器检索信息，不要将其存储在客户端。2 如果这确实处理客户端，例如处理流视频或图像，或者您必须在客户端创建一些文件，将密钥存储在客户端移动设备上是唯一的方法。因此，要么使用带有短 ttl 的密钥来解密数据、通过某种形式的身份验证或证书提供的密钥，要么使用从您的总公司安装的密钥并加密设备以防他们丢失它。我还没有找到我想为你推荐的加密功能。