37127

Authenticate without using a server

Question:

I'm looking for ideas to authenticate a user without the usual trip to a server. Any semi-secure way of authenticating a user on the client side is acceptable.

I'm think of storing some encrypted secret in a js file, then only users that have the correct code will be able to decrypt it, and the correct code can be either entered or stored in a cookie or something. Sound good, or any other ideas?

Answer1:

Take a look at oauth by client side javascript. Search google for 'oauth client side only'.

For example, this - <a href="https://developers.google.com/accounts/docs/OAuth2UserAgent" rel="nofollow">https://developers.google.com/accounts/docs/OAuth2UserAgent</a>

Answer2:

<blockquote>

I'm think of storing some encrypted secret in a js file, then only users that have the correct code will be able to decrypt it, and the correct code can be either entered or stored in a cookie or something.

</blockquote>

What you're asking for is definitely possible, but I'm not sure it will actually be useful to you.

You need to use a key-derivation function like <a href="http://en.wikipedia.org/wiki/PBKDF2" rel="nofollow">PBDFK2</a> ("Password-Based Key Derivation Function 2"). The user enters a password, then the KDF transforms the password into a key. Then, you use the key to operate a strong symmetric cipher like AES (and make sure you use a secure mode of operation like CBC). This approach is reasonably secure, but it's still vulnerable to key loggers (OS-level and browser-level) and memory-state examination.

The important point here is that the user must enter a password in order to <em>encrypt</em> the secret in the first place. You can't send the user a secret and then demand a password. The user can use a password to encrypt a message and then have the system require that same password later for future access.

Alternatively, you could choose the password yourself, generate the key and encrypted data, and then send your chosen password (along with the encrypted data) to the user to remember or store securely.

Practically speaking, <a href="https://code.google.com/p/crypto-js/" rel="nofollow">CryptoJS</a> is a JavaScript implementation that supports both AES and PBKDF2.

Answer3:

Maybe you can store a hash of a password and encrypt the sensible application JS source code, in order to evaluate it when the user is "authenticated" with the correct key ?

See <a href="http://www.stevesouders.com/blog/2009/12/07/downloading-javascript-as-strings/" rel="nofollow">this</a> article about Google's method about javascript processing. Use an encrypted javascript string source code, and you are client-sided secure ?

Recommend

  • Overriding a templated function with a polymorphic one
  • JavaScript object sub-class
  • Finding a grammar is not LL(1) without using classical methods and transforming it to LL(1)
  • Why is there a top_offset in VTT implemented by gcc?
  • OAuth Implicit flow Access Token expires every hour
  • Google API - Redirect URI mismatch error
  • Meteor: Block access to application if user's email is not verified
  • LINQ to Entities does not recognize the method 'System.String ToString()' method, and this
  • google maps autocomplete bounces back already cleared text …odd…odd…odd
  • PayPal API Listener Website Payments Standard URI
  • Getting error 'Cannot read property 'document' of undefined' while importing exp
  • How to get latest version of a artifact on Bintray using JSONP
  • Hide HTML elements without javascript, only CSS
  • How to synchronize jQuery dialog box to act like alert() of Javascript
  • Angularjs pass function from Controller to Directive (or call controller function from directive) -
  • IE7 and TinyMCE with Plone
  • How to make jdk.nashorn.api.scripting.JSObject visible in plugin [duplicate]
  • How does document.ready work with angular element directives?
  • Zurb Foundation _global.scss meta styles for js?
  • jQuery ready not fired after rails link_to is clicked
  • How to run “Deployd” on port 80 instead of port 5000 in webserver.
  • Google Custom Search with transparent background
  • Why value captured by reference in lambda is broken? [duplicate]
  • Insert into database using onclick function
  • Is there any way to access browser form field suggestions from JavaScript?
  • What is Eclipse's Declaration View used for?
  • HTML download movie download link
  • Updating server-side rendering client-side
  • Can I make an Android app that runs a web view in Chrome 39?
  • QuartzCore.framework for Mono Develop
  • RestKit - RKRequestDelegate does not exist
  • How to set the response of a form post action to a iframe source?
  • Why joiner is not used after Sequence generator or Update statergy
  • Setting background image for body element in xhtml (for different monitors and resolutions)
  • Recursive/Hierarchical Query Using Postgres
  • Binding checkboxes to object values in AngularJs
  • UserPrincipal.Current returns apppool on IIS
  • Net Present Value in Excel for Grouped Recurring CF
  • jQuery Masonry / Isotope and fluid images: Momentary overlap on window resize
  • How to load view controller without button in storyboard?