GWT RPC Encryption
639 views
Skip to first unread message
Deep Blue
May 29, 2009, 3:29:22 AM5/29/09
to Google Web Toolkit
Hi all,
Is it possible to create an encyption / decryption layer around GWT
rpc mechanism?
The problem is currently in GWT rpc, all the data are sent / received
from server in JSON text (although SSL can help protect middle-man
attack, but launching firefox with firebug can see all the post data
in clear text).
Anyone got any idea how to create a layer to encrypt the data in
server side (after the serialization), and decrypt it in client side
(before the deserialization)?
I know it can't totally prevent the user from decrypting (since the
decryption logic is sent to user's pc as javascript), but it is better
than expose the data in clear text just using firebug plugin.
Thanks!
Is it possible to create an encyption / decryption layer around GWT
rpc mechanism?
The problem is currently in GWT rpc, all the data are sent / received
from server in JSON text (although SSL can help protect middle-man
attack, but launching firefox with firebug can see all the post data
in clear text).
Anyone got any idea how to create a layer to encrypt the data in
server side (after the serialization), and decrypt it in client side
(before the deserialization)?
I know it can't totally prevent the user from decrypting (since the
decryption logic is sent to user's pc as javascript), but it is better
than expose the data in clear text just using firebug plugin.
Thanks!
Vitali Lovich
May 29, 2009, 10:49:39 AM5/29/09
to Google-We...@googlegroups.com
On Fri, May 29, 2009 at 3:29 AM, Deep Blue <deep.blue.li@gmail.com> wrote:
Hi all,
Is it possible to create an encyption / decryption layer around GWT
rpc mechanism?
The problem is currently in GWT rpc, all the data are sent / received
from server in JSON text (although SSL can help protect middle-man
attack, but launching firefox with firebug can see all the post data
in clear text).
SSL is fine. What your thinking of is impossible (& it's why there's no such thing as fool-proof DRM). You're trying to have Alice send a secret message to Bob while keeping that message secret from Alice.
Anyone got any idea how to create a layer to encrypt the data in
server side (after the serialization), and decrypt it in client side
(before the deserialization)?
You could always supply the server's RSA public key to have the serializer encrypt the data with that prior to sending, but I don't see the purpose since the user can still use firebug to put a breakpoint in the serializer code to read the data before-hand. You're just making your life more difficult & complicated without reason.
I know it can't totally prevent the user from decrypting (since the
decryption logic is sent to user's pc as javascript), but it is better
than expose the data in clear text just using firebug plugin.
I think you need to learn how asymmetric encryption works. Just because you have the algorithm & encryption key doesn't mean you can decrypt the data. If you're thinking of the symmetric encryption (i.e. AES), then yes, algorithm + encryption key is enough to decrypt.
Thanks!
Jason Essington
May 29, 2009, 10:56:30 AM5/29/09
to Google-We...@googlegroups.com
You cannot keep data encrypted on the client if you expect to allow
the client to use it. Anything that you want to protect from the user
should never leave the server.
for instance DVD and HD-DVD and BlueRay all attempt to keep their
formats encrypted from the user, but the user is required to decrypt
the data to view the content ... meaning that the user is given the
keys to unlock the data .... meaning that all of their encryption
methods have been broken.
What you describe has big FAIL stamps posted all over it.
simply use HTTPS and protect the data while in transit, and don't send
anything to the client that you don't want the client to have access to.
-jason
the client to use it. Anything that you want to protect from the user
should never leave the server.
for instance DVD and HD-DVD and BlueRay all attempt to keep their
formats encrypted from the user, but the user is required to decrypt
the data to view the content ... meaning that the user is given the
keys to unlock the data .... meaning that all of their encryption
methods have been broken.
What you describe has big FAIL stamps posted all over it.
simply use HTTPS and protect the data while in transit, and don't send
anything to the client that you don't want the client to have access to.
-jason
Daniel Jue
May 29, 2009, 11:06:41 AM5/29/09
to Google-We...@googlegroups.com
On Fri, May 29, 2009 at 10:56 AM, Jason Essington
<jason.e...@gmail.com> wrote:
<jason.e...@gmail.com> wrote:
> simply use HTTPS and protect the data while in transit, and don't send
> anything to the client that you don't want the client to have access to.
>
> -jason
On that note, use lightweight display models (not your full
bean/model) and do more validation on the server for the data the user
submits.
Is there anything else I'm missing here? Veterans fill me in please...
Deep Blue
May 29, 2009, 11:09:29 PM5/29/09
to Google Web Toolkit
Hi,
Thanks all for the comments / opinions.
I agreed with Daniel and Jason that we shouldn't send any extra info.
to client and protect from server side.
However, some of my clients are paranoid about the data is being
exposed to users as clear text and they are able to forge the request
to retrieve data from server.
This is just one step more protection, but should be effective in
prevent normal users from forging the request just by using plugin in
firefox.
GWT has already obfuscated the javascript source code when compiling,
this is great.
I was thinking maybe we can take one step further to encrypt the data
(only for sensitive information rpc.)
We will protect the data / request from server side, but to let
clients able to rest assure, I am just trying to look out any way we
can implement the encryption in GWT.
I know it sounds ridiculous, but sometimes clients are ridiculuous.
Thanks all for the comments / opinions.
I agreed with Daniel and Jason that we shouldn't send any extra info.
to client and protect from server side.
However, some of my clients are paranoid about the data is being
exposed to users as clear text and they are able to forge the request
to retrieve data from server.
This is just one step more protection, but should be effective in
prevent normal users from forging the request just by using plugin in
firefox.
GWT has already obfuscated the javascript source code when compiling,
this is great.
I was thinking maybe we can take one step further to encrypt the data
(only for sensitive information rpc.)
We will protect the data / request from server side, but to let
clients able to rest assure, I am just trying to look out any way we
can implement the encryption in GWT.
I know it sounds ridiculous, but sometimes clients are ridiculuous.
Peter Ondruška
May 30, 2009, 1:50:55 AM5/30/09
to Google-We...@googlegroups.com
You may be interested in data signing not encryption.
hazy1
May 30, 2009, 2:21:01 AM5/30/09
to Google Web Toolkit
If you are worried about replay attacks use a random token as part of
each response/request pair.
each response/request pair.
Mark Renouf
May 30, 2009, 10:13:15 AM5/30/09
to Google Web Toolkit
Re: request signing
At the GWT fireside chat at Google I/O, I asked about the possibility
of a per-request handler for the new RPCRequestBuilder coming in GWT2.
They mentioned it had been considered.
With a user method invoked just before the request is sent, you could
easily implement GWT-RPC signature/authentication transparently and
protect the integrity of the entire request. MD5, SHA1 and event
HmacSHA1 work reasonably when ported to translatable Java source. I've
successfully performed authenticated Amazon S3 requests in this way,
straight from the browser.
At the GWT fireside chat at Google I/O, I asked about the possibility
of a per-request handler for the new RPCRequestBuilder coming in GWT2.
They mentioned it had been considered.
With a user method invoked just before the request is sent, you could
easily implement GWT-RPC signature/authentication transparently and
protect the integrity of the entire request. MD5, SHA1 and event
HmacSHA1 work reasonably when ported to translatable Java source. I've
successfully performed authenticated Amazon S3 requests in this way,
straight from the browser.
Deep Blue
Jun 1, 2009, 5:46:23 AM6/1/09
to Google Web Toolkit
Thanks for the comments.
So, we are not able to implement this in current version of GWT?
So, we are not able to implement this in current version of GWT?
Mark Renouf
Jun 1, 2009, 7:40:19 PM6/1/09
to Google Web Toolkit
Not without modifications to the RPC subsystem. code generators and
API.
There is a Wiki doc on the proposed design:
http://code.google.com/p/google-web-toolkit/wiki/RpcAuth
API.
There is a Wiki doc on the proposed design:
http://code.google.com/p/google-web-toolkit/wiki/RpcAuth
Deep Blue
Jun 2, 2009, 3:05:53 AM6/2/09
to Google Web Toolkit
Thanks, Mark.
> > > > > I know it sounds ridiculous, but sometimes clients are ridiculuous.- Hide quoted text -
>
> - Show quoted text -
>
> - Show quoted text -
Reply all
Reply to author
Forward
0 new messages