Client Data Storage
Classification Key
: Core Security, Tampering
Problem
In a client server system, there may be necessity to store data on the client. This data storage is necessitated for load-balancing, session management, single sign on etc. The client should not have access to view the data.
How can the data be protected from unauthorized access of the client?
Solution
Use encryption to protect the data that is stored on the client. Keep a hash value of the data to detect that the content is not tampered with. Use lightweight symmetric key to protect the data. Change the session key often to protect against guessing attacks.
Known Uses
Amazon.com, Buy.com etc store encrypted cookie in the client.
Related Patterns
Encrypted Storage
Source
Kienzle et. al. Repository
Tags
Client Server, Access Control
|