问题描述

我正在移动网络应用，它显示一些敏感信息并需要登录，将成员用户名和密码存储在 HTML5 会话中.用户名和密码当前以未加密状态存储，因为我们需要在每次加载页面时使用此用户名和密码来访问客户端远程网络服务.

I am working on a mobile web app which displays some sensitive information and requires a login which stores the members username and password in a HTML5 Session. The username and password are currently stored in an un-encrypted state for the reason that we need to use this username and password on each page load to access the clients remote web-service.

经过安全审查后，我们的客户提出了以下问题:

After a security review our client raised the following concern:

会话存储信息有可能存储在磁盘上(例如在浏览器崩溃时).因此，不应将敏感信息未加密地存储在会话存储中.由于会话超时，可以存储用户 ID 和会话令牌已实施，但不建议存储密码/PIN."

"There is the potential that Session Storage information can get stored on disk (e.g. on a browser crash). For this reason no sensitive information should be stored unencrypted in session storage. User ID’s and session tokens can be stored since session timeouts are implemented however storing of passwords/PINs is not recommended."

加密和解密存储在客户端的敏感数据的最佳/最安全方法是什么?

What would be the best/most secure method of encrypting and decrypting sensitive data stored client-side?

谢谢！

推荐答案

参见这个 HTML5 Web DB 安全性

客户端加密库不够成熟或测试不够

...但那是一年前的事了，所以那可能已经是假的了

...but it's been a year ago, so that could be false already

这篇关于HTML5 客户端数据加密 - 我有哪些选择?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！