Client-side Encryption & Server-side Encryption Best Practices

Hello pentesting superstars, i am here again with my blog, lets continue spreading knowledge about cyber security & best practices.

Pre-Authentication

The following methodology can be used for encrypting the data being sent from the client side to the server so that the communication achieves an extra layer of security.

1. The server sends 2 cookies, a pre-authentication session cookie and random cookie which are mapped to each other at the backend. (Every request will create a new mapping in the database).
2. The session cookie can be used as the password and the random cookie as the salt in the PBKDF2 function to derive the key which then can be used to encrypt the request data.
3. The cookies can then be used on the server side to derive the same key which can then be used to decrypt the request data.

Post-Authentication

The same cryptographic methodology can be used in post-authentication scenario as well.

1. In the first response to the client, the server assigns the client a random salt.
2. The user authenticates themselves on the server. The login credentials are entered by the user.
3. The password sent from the client side is used along with the salt sent in the first step to generate a PBKDF2 key which is then used to encrypt the data sent from the client side.
4. The salt can be sent in the body of the request, which then can be used to to derive the same key using the password stored in the database. This key can then be used to decrypt the request data.

Kindly note that the session ID created post-authentication is different from the session ID created for pre-authenticated requests. Pre-authentication cookies cannot be hardened (as they need to be accessed by javascript for PBKDF2), whereas the post-authentication requests need to have HTTP-Only and Secure flags set on them.

Also, this solution paves a way for enhancing the complexity of the attack and should not be considered a fool-proof solution to protect the data going from the client side. A M-i-T-M attack will still let the an attacker gather the logic to decrypt the request data. Since the iterations in a PBKDF2 algorithm is large, it will require a significant amount of computational power for the attacker to launch a bruteforce attack.