#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2011
    Posts
    2
    Rep Power
    0

    Mobile web page - where to keep private data on devices?


    Hi,

    I'm developing mobile website and I have one problem with security some of data.

    First time the user browse my site, the page requests a server to get some private user's data (i.e. RSA private key) which is used in future operations. This private key must be stored somewhere in local device memory (as a file on device, browser cache...). Next time when the same user launches the page (some functionality on page), the page has to load the file from local data when needed and use it (i.e. encrypt some string with private key).

    The problem is where to store this key and how to read it?

    First, I thought about cookies. But the cookie will be sent with all requests, so doing it with private key IMHO is not a good idea. The connection of course will be via SSL, but even that I don't want to send private key to server (it has to be as secure as possible!). So, how to solve to problem...?

    I can add, it's not necessary to get the private key from server. It can be load as a file to device via its file manager or something like that. Simply - the browser has to read the private key when it will be needed and use it. I don't think that browser allows to save/read file from JavaScript, am I right?

    Solution of the problem must work on most of available devices and browsers nowadays (especially iPhone, Android, Symbian + Opera Mobile(/Mini?).

    Maybe HTML5 and its 'localStorage' could solve it but I have to assume, I CAN'T use HMTL5 with all its features. I consider using jQueryMobile framework.

    Please, help! Thanks in advance!!
  2. #2
  3. Lord of the Dance
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2003
    Posts
    3,663
    Rep Power
    1958
    As standard, you don't transfer the private key, but the public key.

    Why is it SSL is not enough? what kind of security do you want to archive with you own version of private/public key transfer?

    It sounds more like you need some kind of a login/member application.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2011
    Posts
    2
    Rep Power
    0
    Originally Posted by MrFujin
    As standard, you don't transfer the private key, but the public key.
    Yes, I know. The private key doesn't have to be transfer. But the key has to be load somehow to device. The problem is how to get the key from device to use it browser (from encrypt some data).

    Originally Posted by MrFujin
    Why is it SSL is not enough? what kind of security do you want to archive with you own version of private/public key transfer?
    I don't want to send the private key with every request in cookie. SSL should be OK, but i'd like to provide the website the highest level of security.

    Maybe it's possible to don't send particular cookie, but till now I didn't find an answer.


    Originally Posted by MrFujin
    It sounds more like you need some kind of a login/member application.
    This is a main requirement of the job - it must be a webpage.

IMN logo majestic logo threadwatch logo seochat tools logo