How to add client-side security

Adding Client-Side Security with a Translucent Database

Many applications do not require a thick layer of security at the server. It is possible to use a modest amount of encryption and one-way functions to obscure the sensitive columns or key-value pairs, a technique often called a translucent database. (See [WWW] description.)

The simplest solutions use one-way function like SHA-256 at the client to scramble the name and password before storing the information. Here's a quick example of what a table of store purchases might look like before the data is scrambled:

Before Translucency

name

password

product name

purchase date

size 1

size 2

Bob Jones

Swordfish

Brawny Pants

Jan 24 2009

32

34

Bob Jones

Swordfish

Dancing Pants

Jan 24 2009

32

34

Mary Smith

plastics

Broadway Hat

Jan 24 2009

10

-

Mary Smith

plastics

Shopping Pants

Jan 25 2009

26

28

Constance Dalmation

greeny

Shopping Pants

Jan 26 2009

25

27

After Translucency

SHA256(name&password)

product name

purchase date

size 1

size 2

a67373bc873aacd99392

Brawny Pants

Jan 24 2009

32

34

a67373bc873aacd99392

Dancing Pants

Jan 24 2009

32

34

3c939a9d9939de993993

Broadway Hat

Jan 24 2009

10

-

3c939a9d9939de993993

Shopping Pants

Jan 25 2009

26

28

99929d99c9a999a9dd8d

Shopping Pants

Jan 26 2009

25

27

This solution gives the client control of the data in the database without requiring a thick layer on the database to test each transaction. Some advantages are:

There are limitations:

There are many variations on the theme detailed in the book [WWW] ''Translucent Databases'' including:

Here are several case studies:

Client-Side Libraries

Here are some Javascript libraries for implementing client-side security:

last edited 2009-03-27 18:54:17 by PeterWayner