I'm looking for ideas to authenticate a user without the usual trip to a server. Any semi-secure way of authenticating a user on the client side is acceptable.
I'm think of storing some encrypted secret in a js file, then only users that have the correct code will be able to decrypt it, and the correct code can be either entered or stored in a cookie or something. Sound good, or any other ideas?Answer1:
For example, this - <a href="https://developers.google.com/accounts/docs/OAuth2UserAgent" rel="nofollow">https://developers.google.com/accounts/docs/OAuth2UserAgent</a>Answer2:
I'm think of storing some encrypted secret in a js file, then only users that have the correct code will be able to decrypt it, and the correct code can be either entered or stored in a cookie or something.</blockquote>
What you're asking for is definitely possible, but I'm not sure it will actually be useful to you.
You need to use a key-derivation function like <a href="http://en.wikipedia.org/wiki/PBKDF2" rel="nofollow">PBDFK2</a> ("Password-Based Key Derivation Function 2"). The user enters a password, then the KDF transforms the password into a key. Then, you use the key to operate a strong symmetric cipher like AES (and make sure you use a secure mode of operation like CBC). This approach is reasonably secure, but it's still vulnerable to key loggers (OS-level and browser-level) and memory-state examination.
The important point here is that the user must enter a password in order to <em>encrypt</em> the secret in the first place. You can't send the user a secret and then demand a password. The user can use a password to encrypt a message and then have the system require that same password later for future access.
Alternatively, you could choose the password yourself, generate the key and encrypted data, and then send your chosen password (along with the encrypted data) to the user to remember or store securely.
Maybe you can store a hash of a password and encrypt the sensible application JS source code, in order to evaluate it when the user is "authenticated" with the correct key ?