Secured Client-Side script
Asked Answered
L

9

2

I have got a particular requirement where some critical algorithms have to be handled in the client-side script and it got to be secured. Using javascript will just expose the algorithm. I am currently evaluating ways to secure the algorithm on the client script. Appreciate any suggestions and alternative approaches.

One option I am thinking about is to download a small applet to the local PC, get the calculations done in it and update the results back. Before deciding on this, I want to know if a client script itself can be made secure coz that would be much easier.

Thanks in advance!

Lugworm answered 24/11, 2009 at 16:39 Comment(4)
"secured client-side" isn't that an oxymoron?Elayne
Define "secured"? If you mean preventing reverse engineering, that's impossible.Epizootic
@Martin - Not when you spell it like onmoryox, that's a totally different thing.Byebye
Theoretical and practical are very different, if we could see an example of this in the answers it'd be great. Only an idiot leaves their doors unlocked simply because any lock can be picked (and it can).Garlicky
E
4

You CANNOT secure anything on a client PC.

Everything you are doing client-side is crackable and spuffable.

That's the PC of the client. It will be doing anything the client has requested it to do.

Englert answered 24/11, 2009 at 16:41 Comment(0)
K
3

Script is not secure, also what level of security do you need? If you download anything to the client the client will be able to look at the algorithim. Of course if you download a native dll, then decompiling it will be harder, the question is if this is good enough.

That an important thing most people miss when evaluating security nothing is trully 100% secure. Because your server admin could go in and steal the binaries off your server. And if your using third party hosting who knows who has access to the server.

The idea is to raise the bar. Do you want to prevent the average script kiddie? Obfuscate it, make it hard for them to understand the gain of understanding the algorithim might not justify the pain in trying to understand it.

The best that you can probally do is keep the algorithim on the server and expose it via a web service.

Kinsman answered 24/11, 2009 at 16:43 Comment(1)
Thanks Josh. I completely agree with you on nothing is 100% secure. I just didn't want the script to be very obvious. Downloading native dll would be better for now. Thanks againLugworm
C
2

Everything that the end-user is controlling to 100% may be tampered with, and this is especially true with JavaScript that is so easily exposed.

You are going down the wrong path. You need to rethink your approach.

Covenantee answered 24/11, 2009 at 16:43 Comment(0)
C
2

You could build a web-service containing the critical algorithm and call it from javascript.

Cotoneaster answered 24/11, 2009 at 16:47 Comment(0)
B
1

Bottom line is, if someone wants your logic ... they will get it unless it is server-side and they never obtain it in any way.

What you want is a Javascript obfuscator

Byebye answered 24/11, 2009 at 16:42 Comment(4)
No JavaScript obfruscator can guarantee anything.Englert
I never said it could. hence the first line of my post.Byebye
The point is that JavaScript obfruscator will give a false sense of security - when in fact there is little.Englert
Hence the first line of my post.Byebye
H
1

Nothing on the client side can be totally "secure".

Anything you make them download will have to be run on the client PC, and so can be analysed. If you have them download an applet or a native executable, it will still contain machine instructions that can be analysed at the very least to an assembly level.

Is there no way you can have the client upload the data to your server instead and perform the calculation on the server side?

Hydrophobia answered 24/11, 2009 at 16:42 Comment(1)
Server side is unfortunately not an option currently. Thanks for sharing your thoughts.Lugworm
G
1

It it's client-side, then it's not secure. Anything with critical security concerns should be done on the server.

Glyceryl answered 24/11, 2009 at 16:43 Comment(0)
P
0

An NPAPI plugin will execute on the client-side and make reverse-engineering much more difficult.... but of course a determined hacker will be able to reach-through...

Picoline answered 24/11, 2009 at 16:42 Comment(11)
@EFraim: but of course you are capable of reverse-engineering it given a debugger! That's why I said much more difficult than e.g. obfuscate or not Javascript.Picoline
Care to explain the down-vote ? Or is it just a case of "drive-by-downvoting-without-a-good-reason" ?Picoline
I don't see how an NPAPI plugin will help. It's not encrypted in anyway, it's just native machine code instructions run on the client side. You'd achieve the same by just having them download a exe and run that. Anyone could read the machine code and figure out the algorithm.Hydrophobia
I'm the one that downvoted. Reason explained in post above. I don't think NPAPI provides any significant extra security.Hydrophobia
I had a friend in university that god fed up with a certain program crashing on him, so he decompiled it, stepped through the code with a debugger, fixed the bug, and then submitted a binary patch back to the company with the fix. If it runs on my machine I can see what it's doing, and it only takes the skills that a CS undergrad would have.Pinafore
This answer itself is not wrong, (though I personally would not upvote it) however, I have to emphasize it that every attempt to solve this client side is going in the wrong direction as stepfet said.Englert
Guys- I used to do lots of reverse-engineering: I know for a fact that anything can be cracked. An NPAPI can provide additional security given the level of sophistication that is required. Is it much easier to use the integrated features of a browser such as Chrome than having to do through GDB and what not.Picoline
Everything is relative in this Universe: if you guys can't deal with relativity (as in something X is more difficult than something Y) then I am not the one with the problem.Picoline
@Jldupont: No one has a problem and no offence was intended by my downvote. Votes are simply a way of marking agreement or disagreement with a provided solution. I happen to disagree with your solution, but as you say this is about relative difficultly so this is a grey area. I accept your opinion and I'm sure others will agree with you too. I hope I have not caused you any offence.Hydrophobia
Thanks for all your thoughts. Securing client-side script was a random thought, just wanted to see if there is some means to make it at least closer to native dlls. Won't be a piece of cake for novice reverse engineers. I will settle down for downloading native dlls to local PC. By the way, can you suggest a reverse-engineering book? Just curious to give it a try myself.Lugworm
I went through my "reverse engineering period" over 15+years ago... back then, much less books were available: I can't recommend one unfortunately.Picoline
M
0

Theoretically (and I mean this is a Comp.Sci. sense) this is possible. The cryptographical technique is known as "fully homomorphic encryption". For now, the method isn't practical yet. There are no compilers available that are able to transform your algorithm in its equivalent secure form.

Marxism answered 28/3, 2011 at 13:58 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.