Geek Answers Handbook

Browser-based encryption / decryption with private key from browser key store

My situation:

  • The medical staff wants to enter patient confidential data into a web browser (!) In order to save it in a database and then restore it again.

  • This data cannot be seen by anyone other than the medical staff. This means that it must be encrypted using a secret token before being transferred to the server. It also means that neither IT staff (having access to the server / database) nor anyone else can decrypt it without a secret token. (If the token is lost, the data will never be available again.)

  • No additional software should be installed on the client machine, except for some token (for example, a private key), which one will export once and import it into all browsers from which access to the data should be provided.

So my question is:

Is there a way to encrypt / decrypt data on the client side (for example, using JavaScript) using a secret browser token that can be easily exchanged between browsers (i.e. export / import, similar to X.509 certificates)?

If not, what alternative solutions are possible? Since conditions 1 and 2 are mandatory, only condition 3 can be changed if necessary. However, as little installation effort as possible is necessary on the client side.

EDIT: SSL is obviously only part of the answer to this question!

+7
source share
3 answers

Take a look at the encryption of personal information about the web browser , whose section "Summary" seems to describe your problem. However, their โ€œaccess codeโ€, which generates the encryption key, must be shared, which will not allow you to differentiate the medial staff.

We describe a remote data entry system that allows the use of data that will identify the patient who will be encrypted in the web browser by the person entering the data. This data cannot be decrypted on the server by data center employees, but the data entry or their delegate can be decrypted by the person. We developed this system to solve a problem that arose in the context of clinical trials, but applicable in a number of situations where confidential information is stored and updated in a database and it is necessary to ensure that it cannot be viewed by anyone other than the intentionally granted access.

+5
source

There is a javascript implementation of AES encryption that encrypts plain text in a browser. If you create something around these tools, the server side will save only the encrypted text and will not have a passphrase.

http://www.fourmilab.ch/javascrypt/

It does not require additional installation on the client side, but it will probably require some development efforts in order to obtain the right of the user.

+3
source

Thanks to the efforts of ProtonMail, the browser now implements an open source privateKey implementation: https://openpgpjs.org/

This has done some security checks and is the basis of protonmail.com, so it has pretty good entries and an assistant in place. They also have a good summary of important security browser models.

0
source

More articles:


All Articles