Coder Social home page Coder Social logo

bequest-interview-question-1's Introduction

Tamper Proof Data

At Bequest, we require that important user data is tamper proof. Otherwise, our system can incorrectly distribute assets if our internal database is breached. Only the user is able to update their own data. There are 2 parties that read the data, the user and our server.

How does the client insure that the data has not been tampered with?
If the data has been tampered with, how can the client recover the lost data?

** See development branch **

Proof of concept implementation, crypto.webcrypto.SubtleCrypto shouldn't really be used for this purpose and would be converted to a more cryptographically secure library.

A) We need to create a way to verify and sign data that ensures it's coming from both the server and client

  • To do this, we'll start by creating an assymetric RSA key for both the client and the server. We then generate an RSA-PSS key to sign the data as the server.
  • We'll share the client's public key with the server, using it to encrypt a symmetric AES key and signature shared between the two
  • We encrypt the AES key and the signature with the client's public key, sending it back at which time the client saves it and the connection has been secured.
    • If the server has a static encryption key then we can save the signature and assume for future connections, this is the expected server signature.
  • Anytime data comes from the server, it's encrypted with the shared AES key and signed with the server's private RSA key
  • We can verify the data is coming from a trusted server using the signature
  • From here we'll check the hash signature of the data. If the data has been tampered with, Data on the client won't match the hash signature of data provided by the server.
  • This implies the data has been tampered with on the server, in which case we will assume the data stored on the client is the expected data.

B) In the event the data has been tampered with, We'll keep a redundant copy on the client's localStorage.

  • To do this, Whenever the client sends data to the server.

  • Upon sending it to the server, assuming the client signature matches and decryption is successful, the server will update the values in the database.

  • Once the data has been updated on the server, we store the hash and a redundant copy of the data in localStorage.

  • This ensures we assume the data on the server has always been tamepered with and only the data on the client's local side is data we take for certain.

    • This has limitations, the 5MB limit of the browsers localStorage prevents us from storing any additional variables.
    • A potential solution is to store the encrypted data on the server. Once the client connects, only they provide the key to decrypt it upon secure connection. If the data is at rest, it doesn't need to be visible in plaintext on the server. If the client is connected, the server can then decrypt the data using the shared symmetric key at which time the data is viable for transit.
  • This has it's own problems! If the client deletes their localStorage, we lose the data! We can try to circumvent this by requesting persistent storage from the user.

To run the apps:

npm run start in both the frontend and backend

bequest-interview-question-1's People

Contributors

heyitsmass avatar r-muresan avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.