In How to Protect a JSON or Javascript Service, Joe Walker looks at a few solutions such as:
- Use a Secret in the Request
- Force pre-eval() Processing
- Force POST requests
The last time that I worked on an JSON-based web application, I did number 1, sort of. I basically implemented a simplified version of HTTP digest authentication in order to send a username and password to the server. In order to accomplish this, I used an nonce plus a JavaScript implementation of the SHA-1 hash function.
If I were to reimplement the user authentication portion today, I would probably use this "clipperz" library that I also found on Ajaxian. I'm amazed that someone has implemented AES in JavaScript. I would think that it would be difficult, although I haven't read the specification for it. Maybe one of these days I'll implement the Diffie-Hellman key exchange, if I get bored enough or I need it for something.
Posts
1 comment:
Hello.
I'm Francesco Sullo, co-founder of PassPack (https://www.passpack.com), an online password manager and personal vault that, like Clipperz, uses the Host-Proof-Hosting pattern to manage user's encrypted data.
After having researched the tools and script available online, we adopted Chriss Veness's libraries. He implemeted a Javascript version of xxTEA (http://www.movable-type.co.uk/scripts/TEAblock.html) and AES (http://www.movable-type.co.uk/scripts/AES.html) - both very easy to understand and to use.
You might find them very useful.
Cheers,
Francesco
Post a Comment