Home > Enterprise >  Client Server Encryption
Client Server Encryption

Time:09-24

I have Xamarin as my mobile client, node.js as my backend and MongoDB as database. I am trying to encrypt the user's data and save it in Database. If I do server encryption, still hackers can see the data while transmitting through APIs. Should I do client encryption, pass the data to API and store it in Database or should I do double layer encryption (i.e) Encrypting user data from client side, pass it through API, again do a server-side encryption and store it in Database. Basically, I wants to know how client server encryption works in real world.

The concern is that user's data is sensitive and needs protection even if the database is hacked.

CodePudding user response:

There are several points where we can apply encryption, this is a bit confusing, but let me explain this to you part-by-part.

Database encryption

Your concern about the safety of sensitive data even if the server is hacked is justified. So, whatever sensitive information you have, you will need to encrypt. However, there are several ways to achieve encryption. To avoid overcomplication, I will speak about two types of encryption for this level:

  • one-way encryption
  • two-way encryption

The user's password is a data that is only interesting for the user in its raw form. So, you can apply one-way encryption, that is, given the password of the user you know how to encode it, so you store the encrypted version of the password and subsequently whenever the user logs in, validate his/her password by comparing the result of encrypting whatever he/she typed in vs. what is stored in the database. However, you should not be able to decrypt the encrypted password, because passwords need a single direction anyway, that looks like:

  • user types the value
  • which is sent to the server
  • which receives it
  • and encrypts the raw password
  • and then compares the encrypted version of the received password with the encrypted password that is stored

The other way to encrypt data at this level is a two-way encryption, that is, an encryption method that you can actually decrypt. You need to use this approach for any data that you may need in raw form for some reason, like showing it to the user.

Server encryption of data sent to the user

If your project owner is worried about the safety of your user's device/application (like the vulnerability of browsers using unsafe extensions or users visiting strange sites with their browser), then some data sent to the user can be encrypted. Avoid this unless you are specifically needing to perform such an act.

Client encryption of data sent to the server

If the communication channel is unsafe, then you might need to apply some encryption on client-side before sending the values to the server.

Good news! HTTPS!

HTTP stands for HyperText Transmit Protocol. Its HTTPS version is already encoding the messages, it stands for HyperText Transmit Protocol Secure. If you are already using HTTPS as a protocol, then your client-side requests are already encrypted, so a third-party listening to the requests you are sending will receive some gibberish of data at request send and response receive events.

Summary

If you are not asked for further encryptions, then you should use HTTPS and one-way-encoding of passwords on your database, because this is the real-world approach in general. If you need to perform further safety-measures either because you have further sensitive user information or some genuine worry about some aspect of the project, or just a requirement, then you can extend this approach with whatever else you need. But HTTPS and one-way encoding the password on database level is an absolute must.

  • Related