Welcome!

Java IoT Authors: Zakia Bouachraoui, Pat Romanski, Elizabeth White, Liz McMillan, Yeshim Deniz

Related Topics: Machine Learning , Java IoT

Machine Learning : Article

AJAX Lockdown

A new concept of data privacy and security for AJAX-based Web applications using client-side data encryption

AJAX is definitely taking Web applications to the next level in ease of use and desktop-like user interfaces. And it can even be used to create the secure, privacy-oriented Web applications that are so needed in today's Web world.

AJAX is based on Web browsers endowed with powerful JavaScript engines.

In this article I'll explain a framework for AJAX-based Web applications based on client-side data encryption using a Secure Key for maximum data security and privacy. This framework can be used with any Web application, saving a lot of potentially sensitive user data like bank account details and login details for Web sites.

This framework will put the user in full control of sensitive data; the back-end server will just be a mechanism to save the encrypted blob from the user. It's based on client-side JavaScript and XML for all the business logic and data encryption/decryption, searching, and sorting. It will also open up new dimensions for making online payments and banking since it can talk to different Web Services from the client browser instead of going through an intermediate server, thus minimizing the risk of any third party intruding on the data.

Regular unencrypted user data will be present only in the client browser. Anywhere outside the client browser the data will be encrypted, be it on the wire or saved in a back-end database to maximize security and privacy. And I'll explain how to write an easy AJAX-based Web application using DWR (Direct Web Remoting) with this framework.

The Need for a Client-side Encryption Framework
When saving sensitive private information in any Web application, questions always cross my mind. How secure is my private data? Do I really trust all the servers where it's saved? Most of the time I have to trust the server since there's no other way to get stuff done using the current Web application security framework.

All Web applications save private user information in their databases either encrypted or unencrypted with a server-generated key, which creates a major threat since the mechanism to view the data lies with the server and is available to all sorts of manipulation by the back-end server's users and any interloper with access to the server. So for Web applications where user privacy is a primary concern, there's no robust architecture to give users the upper hand in controlling their private data.

Our framework, using client-side encryption to encrypt user data, gives the user full control of the data and the data is encrypted once it leaves the user's browser. The user is given the ultimate privacy and security and can rest assured that no one can do anything with it. But coming up with a real functional Web application using this concept is a little difficult without the power of AJAX and JavaScript. Figure 1 shows the data transfer mechanism in a typical Web application. Figure 2 shows how the client-side encryption concept works differently than typical Web applications.

In Figure 2, the basic data transfer mechanism is shown for Web applications doing client-side encryption where the data is in encrypted form anywhere outside the browser JS engine. In a classical Web application, HTTPS/SSL is implemented only to transfer the data encrypted on the wire, but once it reaches the server, it resides in unencrypted form or is encrypted with a server-generated key.

For client-side data encryption to work and ensure data privacy the private user data in the browser is encrypted with a user-provided key (secure key) that is never transported or saved in the server. The data is saved in encrypted form in the server and the server doesn't have a clue what the unencrypted data is! And when getting the private user data back from the server, the data is downloaded in encrypted form. To view the data or to take any action on the data it has to be decrypted using the Secure Key used to encrypt it. The data lives its unencrypted life only in the browser's user session and all the logic to interact with any Web Service to do application logic or any searching or sorting is done using JavaScript and XML programming on the client side. This puts a lot of processing and application logic in the client-side JavaScript engine, but it's secure enough that it's virtually impossible to break in.

Let me use an analogy and explain the concept in terms of a person storing his valuables in a safety deposit box at a bank. A person (our user) opens a safety deposit box account (the user account) at a bank (your typical Web application) and stores all his valuables (his private data) there, but the box's key (the password) stays with the bank and the user can only get it after verifying his identity to the bank. He can go to the bank anytime and verify his identity and get access to his valuables, but since the key stays with bank, the bank has full access to the stash. Our concept lets the person put a lock on the valuables using a private key (a Secure Key) before storing them in the box so the bank doesn't have access. Only the person with the key has access to the box. In the real world too, this concept adds more robust security to the user scenario.

Simple Use Cases Where the Framework May Be Useful
Our framework is useful in any Web application where the user's privacy and security is a major concern. I'll provide use cases for two simple Web applications where it will find great application.

An Online Account Handler Application
If you think about the different online accounts you open or maintain everyday, you know it would be precious to have a Web application where you can store and manage the login credentials for all your Web accounts without sacrificing privacy. The technology in typical Web applications doesn't scale well. Our approach guards the user's interest and gives him full control of his private data.

Online Shopping and Payment Applications
There's a plethora of Web applications that save user bank and credit card information online so the user can make payments with the click of a mouse and give him a rich experience in terms of ease of use, but they also expose him to phishing attacks. The client-side encryption framework offers both ease of use and enough security for them to put their private information on them without hesitation. On the server side there will be less rumpus about password or credit card theft since it will be impossible for anyone other than the user to make use of the secured private information. Hackers can break into the site but it won't matter.

Banking and online shopping sites could put a stop to phishing and other vulnerabilities with this approach if the Secure Key combined the user-provided key and a unique server key to identify the server.

A Sample Web Application with the Concept at Work
Now let's see how easy it is to put this client-side encryption framework to use in a very basic implementation. I'll take the use case of an online account handler application and write a reference implementation. The application I implement will explain the idea of client-side encryption in detail.


More Stories By Indroniel Deb Roy

Indroniel Deb Roy works as an UI Architect for BlueCoat Systems.He has more than 10 years of development experience in the fields of J2EE and Web Application development. In his past he worked in developing web applications for Oracle, Novell, Packeteer, Knova etc. He has a passion for innovation and works with various Web2.0 & J2EE technologies and recently started on Smart Phone & IPhone Development.

Comments (6)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
Moroccanoil®, the global leader in oil-infused beauty, is thrilled to announce the NEW Moroccanoil Color Depositing Masks, a collection of dual-benefit hair masks that deposit pure pigments while providing the treatment benefits of a deep conditioning mask. The collection consists of seven curated shades for commitment-free, beautifully-colored hair that looks and feels healthy.
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
We all love the many benefits of natural plant oils, used as a deap treatment before shampooing, at home or at the beach, but is there an all-in-one solution for everyday intensive nutrition and modern styling?I am passionate about the benefits of natural extracts with tried-and-tested results, which I have used to develop my own brand (lemon for its acid ph, wheat germ for its fortifying action…). I wanted a product which combined caring and styling effects, and which could be used after shampo...
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.