Remove From My Forums

Basic Encryption question

Question
0

Sign in to vote

This might be a rather dumb question, but, . . . The Win 8 app I am developing has a need for encryption of data. Looking around, I see questions on AES encryption/decryption in c#/javascript. This strikes me as locking your house and then leaving the key at the front door. If you are decrypting a C# encrypted string in javascript, don't you need have the AES key and IV in javascript on the client machine? Doesn't that basically tell anyone interested in looking how to encrypt and decrypt your database?

Robotuner

Tuesday, April 29, 2014 11:43 AM

Answers

0

Sign in to vote
Language doesn't really matter here. If you have the keys on the client then they aren't secured from the user. They are at best obfuscated. It may be slightly more difficult for somebody to extract them from compiled code, but since the app needs to use them they have to be available. It's a very small step from being sophisticated enough to know to want the key to being sophisticated enough to find it in the debugger.

If your data really needs to be secured from the user you'll need to keep it on a server. To secure the data from others you can use a credentials supplied by the user.

--Rob
- Marked as answer by Jamles HezModerator Tuesday, May 6, 2014 11:15 AM
Tuesday, April 29, 2014 2:55 PM

Moderator