encrypting data on client-side via html5 javascript

im building a web app in html5.. basically a form with a time counter and questions and answers.

im looking for a way that the user cannot change the score (that is calculated from the time took to answer the question) via browser debugger 开发者_运维百科or etc.

encrypting the raw data sounds like an options.. but when the data is at dom, the user can change it.

i added some "time checking" in server side.. but still i would prefer some client side protection as well.

any suggestions? thanks

I'm no web pro, but I'd say just stick all the validation on the server side. From what I know about people exploiting MMORPGs, there is always a way to access/change client side data.

What you're asking for is impossible. No matter how you implement it, the user can use debugging tools to alter how the code runs in their browser - or, ultimately, just generate the HTTP POST request themselves, independent of your code.

Well, since you're saying you're using html5, why don't you just use the storage support? e.g:

var store = sessionStorage.question= new Array();
store[0]="10s";
store[1]="5s";

Now just set that programmatically! It will last for the whole session Put that in a file and import it and the better-than-average user wont know where to look! You can also check This Link for a more robust solution

As Nick says, a determined user will be able to get round any encryption scheme you use on the client machine. At most you can make it difficult for them to break. You need to do two things, 1) encrypt so as to make tampering difficult and 2) try to detect any tampering that does occur.

I don't know what is available off the shelf for Javascript, if available then use AES for encryption and HMAC to detect tampering. If you have to write your own then use RC4 for encryption (not as strong as AES but much simpler to code) and a checksum to detect tampering.

One thing you can do to make it more difficult for an attacker to find your encryption key and HMAC key is not to store them in one place. Have two arrays such that the real key is array1 XOR array2. That way the actual key is not explicitly in code anywhere.