客户端加密的有效用例是什么? [英] What are the valid use cases for client side encryption?
问题描述
我刚刚阅读了关于 Stanford Javascript Crypto Library ( jsfiddle示例),它完全支持JavaScript中的SHA256,AES和其他标准加密方案。图书馆似乎很漂亮,但我不知道合理的用例。
As 本地存储空间如何?您可能想要存储一些数据,但是要加密,以便计算机的其他用户无法访问? 例如: 在您拥有胖客户端的情况下,这可能会很有用,需要在会话之间使用大量(敏感)数据,服务器数据由于大小而不可行。我不能想到应用这种情况的许多情况... 在应用程序的用户生成敏感数据和数据的情况下也可能很有用不需要(或不应该)发送(或存储在)服务器。 对于一个应用示例,您可以存储用户的信用卡详细信息本地加密,并使用JS自动将其输入到表单中。您可以这样做,而不是存储数据服务器端,并以这种方式提供预先填充的表单,但是使用此方法,您不必在服务器上存储其信用卡详细信息(在某些国家/地区有严格的法律)。显然,关于存储加密在用户机器上的信用卡信息是否存在与存储服务器端相比的安全风险是有争议的。 可能更好应用示例... 我不知道使用这种技术的任何现有项目。 通过HTTPS进行性能改进,通过密码共享来实现? 例如: p> 这种用例可能不是全部值得的,因为HTTPS通常具有可接受的性能级别,但是如果您需要更多的速度,则会有所帮助。 主机验证存储。您可以加密数据客户端,然后将其发送到服务器。服务器可以存储数据并共享数据,但不知道客户端的私钥,则无法对其进行解密。这被认为是 lastpass 等服务的基础。 I just read about the Stanford Javascript Crypto Library (jsfiddle example) which supports SHA256, AES, and other standard encryption schemes entirely in javascript. The library seems very nifty, but I don't know of a reasonable use case for it. As some questions have already pointed out, client side encryption is not a safe way to pass secure data to a server. HTTPS should be used instead. So, are there any projects that would benefit from or require client side encryption? How about local storage? You might want to store some data, but encrypt it so that other users of the computer cannot access it? For example: This could be useful in cases where you have a fat client, with lots of (sensitive) data that needs to be used across sessions, where serving the data from the server is infeasible due to size. I can't think of that many instances where this would apply... It could also be useful in cases where the user of the application generates sensitive data and that data does not need to (or shouldn't) ever be sent to (or stored on) the server. For an applied example, you could store the user's credit card details locally, encrypted and use JS to auto-enter it into a form. You could have done this by instead storing the data server side, and serving a pre-populated form that way, but with this approach you don't have to store their credit card details on the server (which in some countries, there are strict laws about). Obviously, it's debatable as to whether storing credit card details encrypted on the user's machine is more or less of a security risk than storing it server side. There's quite probably a better applied example... I don't know of any existing project which use this technique. How about for performance improvements over HTTPS, facilitated via password sharing? For example: This use case is probably not all that worthwhile, because HTTPS generally has acceptable performance levels, but would help if you need to squeeze out a bit more speed. Host proof storage. You can encrypt data client side and then send it to the server. The server can store the data and share it, but without knowing the client's private key, it cannot decrypt it. This is thought to be the basis for services such as lastpass. 这篇关于客户端加密的有效用例是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!用例1
使用案例2
用例3
Use Case 1
Use Case 2
Use Case 3