JSONStore security utilities overview

The MobileFirst client-side API provides some security utilities to help protect the user's data. Features like JSONStore are great to protect JSON objects. However, it is not recommended to store binary blobs in a JSONStore collection.

Instead, store binary data on the file system, and store the file paths and other metadata inside a JSONStore collection. If we want to protect files like images, we can encode them as base64 strings, encrypt it, and write the output to disk. When it is time to decrypt the data, we can look up the metadata in a JSONStore collection, read the encrypted data from the disk, and decrypt it using the metadata that was stored. This metadata can include the key, salt, Initialization Vector (IV), type of file, path to the file, and others.

At a high level, the SecurityUtils API provides the following APIs:

• Key generation - Instead of passing a password directly to the encryption function, this key generation function uses Password Based Key Derivation Function v2 (PBKDF2) to generate a strong 256-bit key for the encryption API. It takes a parameter for the number of iterations. The higher the number, the more time it takes an attacker to brute force the key. Use a value of at least 10,000. The salt must be unique and it helps ensure that attackers have a harder time using existing hash information to attack the password. Use a length of 32 bytes.

• Encryption - Input is encrypted using the Advanced Encryption Standard (AES). The API takes a key generated with the key generation API. Internally, it generates a secure IV, used to add randomization to the first block cipher. Text is encrypted. To encrypt an image or other binary format, turn your binary into base64 text using these APIs. This encryption function returns an object with the following parts:

  • ct (cipher text, which is also called the encrypted text)

  • IV

  • v (version, which allows the API to evolve while still being compatible with an earlier version)

• Decryption - Takes the output from the encryption API as input, and decrypts the cipher or encrypted text into plain text.

• Remote random string - Gets a random hex string by contacting a random generator on the MobileFirst Server. Default is 20 bytes, but we can change the number up to 64 bytes.

• Local random string - Gets a random hex string by generating one locally, unlike the remote random string API, which requires network access. Default is 32 bytes and there is not a maximum value. The operation time is proportional to the number of bytes.

• Encode base64 - Takes a string and applies base64 encoding. Incurring a base64 encoding by the nature of the algorithm means that the size of the data is increased by approximately 1.37 times the original size.

• Decode base64 - Takes a base64 encoded string and applies base64 decoding.

Parent topic: JSONStore security utilities