locked
Basic Encryption question

    Question

  • This might be a rather dumb question, but, . . . The Win 8 app I am developing has a need for encryption of data.  Looking around, I see questions on AES encryption/decryption in c#/javascript.  This strikes me as locking your house and then leaving the key at the front door.  If you are  decrypting a C# encrypted string in javascript, don't you need have the AES key and IV in javascript on the client machine?  Doesn't that basically tell anyone interested in looking how to encrypt and decrypt your database?


    Robotuner

    Tuesday, April 29, 2014 11:43 AM

Answers

  • Language doesn't really matter here. If you have the keys on the client then they aren't secured from the user. They are at best obfuscated. It may be slightly more difficult for somebody to extract them from compiled code, but since the app needs to use them they have to be available. It's a very small step from being sophisticated enough to know to want the key to being sophisticated enough to find it in the debugger.

    If your data really needs to be secured from the user you'll need to keep it on a server. To secure the data from others you can use a credentials supplied by the user.

    --Rob

     
    Tuesday, April 29, 2014 2:55 PM
    Moderator