I am developing SPA in angular and the specific requirement from customer to use RSA 2048 for authentication. I am a bit skeptical how the authentication token would get generated. I believe the token would generate at the server side and it's server's responsibility to verify against the encrypted credentials.
Am I wrong in my thinking? Has anyone tried with 2048 RSA authentication earlier?
So this is how it will work,
Generated a public & private key using a salt key & 2048 bits.
Public key is kept within the source code to generate a cipher text.
Private key is kept on server to decrypt the cipher text.
Server will decrypt both the stored password ( already encrypted) with the login password ( encrypted).
If both decrypted cypher texts are equal , server will send the auth-key otherwise request is failed.
Related
What would be the most secure way to do so?
So far I tried providing the same public key for every user which automatically encrypts the data sent over a https request to my backend.
For that reason, people with enough knowledge can get the json payload before its encrypted and encrypt it by themselves on their end and send it over my server.
The most ideal case would be so the client side only has access to the public key while the server can view both user's private key and public key.
I'm currently using RSA for this
Frameworks in use: VueJS and NestJS
The web browser belongs to the user. It is completely under their control. Anything you do in the browser can be inspected and manipulated by the user.
You can encrypt data during transmission to protect it from third-parties with HTTPS.
You can't make the user's browser compensate for you not trusting the user.
I am working with struts login application
I need to encrypt password in the login.js file using RSA public key in javascript and then decrypt it using RSA private key at server side in java.
I have java code which generates the RSA public/private key in server side. And saved that keys in the server side.
When user clicks on submit button after filling username and password, i will be encrypting the password using RSA public key which was generated in the server side. Than struts action will be executing which will do authentication using LDAP at server side.
But how can i transfer public key from server to client for encryption of password at client side when user click on the submit button.
Thanks in advance !!!
I am looking to do a three-pass exchange with CryptoJS (client) and OpenSSL (server). I can not find any examples on how to do this, could any one pint me in the right directions. I am looking to do the following:
Server sends client a string encrypted with a randomly generated key.
Client encrypts the string with another key, and sends it back to the server
Server decrypts the string using server's key from step 1 and sends it back to the client
Client decrypts the string with client's key from step 2. Client now has original string from the server.
This is for a small app I am making. I have used CryptoJS before, but I never had to do the three-pass before, and an example to work from would be very helpful. Thank you for any help.
The company i work for has found a problem working on a new page, in sending new/modified users passwords when the account is saved to server side code from client side using jquery ajax.
At the moment, the password is sent in plaintext to a webmethod in which it is processed and then encrypted server side before being sent to the database.
My major fear is a sniffer catching the traffic in the middle and taking the plaintext password, pretty logical problem.
My company does not use SSL/HTTPS therefore im looking at other encryption methods.
The only person capable of changing passwords is the administrator, and the logged in user is capable of changing their own password. Therefore nobody else has access to that page without authentication.
Should i use a plaintext key in javascript with 3DES to send an encrypted password to server side and reduce the chances of a man in the middle attack,
Or should i use a public/private key system with RSA so that a generated public key is sent to clientside on post, that can only encrypt the data, and then server side containing the private key to decrypt the data when sent.
Obviously the user/ admin is always going to be able to debug and see their password in their webbrowser, but which is the better solution to prevent a man in the middle attack.
Ive read that rsa encryption can be quite hungry on resources to generate keys.
Thanks.
You could use RSA to generate a key pair, and issue the public key to the client. The client could encrypt it using a usefull jQuery plugin pidCrypt
Back on the server, you could decrypt the sensitive data with the private key. We are actually doing something similar for our ASP.NET Web API solution (in addition it running over HTTPS).
The following is a nice post by John Peterson showing how to do something similar and use RSA with Web API
Hth.
Is there any solution for secure user registration and authentication without SSL?
With "secure" I mean safe from passive eavesdropping, not from man-in-the-middle (I'm aware that only SSL with signed certificate will reach this degree of security).
The registration (password setup, i.e. exchanging of pre-shared keys) must be also secured without SSL (this will be the hardest part I guess).
I prefer established and well tested solution. If possible, I don't want to reinvent the wheel and make up my own cryptographic protocols.
Thanks in advance.
For logging in you could try SRP from clipperz:
I'm not sure how strong the random number generator they use is. You might want to try and use the Crypto API to get stronger values. I'm not sure how you can get secure seed values in javascript without using Crypto API.
For sending initial password to server you could use public key encryption. So the server sends the client its public key (ok under the no mitm assumption) and the client encrypts the whole registration request when registering. Cipperz has support for public key encryption but in a very raw form. Often you use public key encryption to encrypt a randomly generated symmetric key and use the symmetric key to encrypt the payload. You have to be quite careful with padding/etc to make public encryption properly secure. I don't know of any robust public key crypto libraries for javascript.
You may want to check out jsbn for public key encryption because it looks like it does padding correctly. Though, I suspect it suffers from insecure random number generation. It would be a good idea to use Crypto API or make the user bang the keyboard to generate some entropy. Snippet from rng.js
// For best results, put code like
// <body onClick='rng_seed_time();' onKeyPress='rng_seed_time();'>
// in your main HTML document.