I am trying to get basic encryption on my database for my app and i am having trouble with decrypting it in my app.
I have managed to get specific data to be encrypted with AES.
AES_ENCRYPT(data, '9027382883960882');
This returns me data like this: ÷çôpFx4Ûk`©ùþ§ß-ð?±AGXxPkoË
The data from the database then gets put on a page as JSON data.
We then get the data through a XMLHTTP request on the app.
We then have the encrypted data on the app but then i need to deccrypt it.
I dont know how we can do this in a good way because when we use a plug-in like Aes-js.
We first have to change the encrypted data to Hexdecimal or Bytes and that is not possible because the data has random signs in it.
Do you guys have any idea how we can do this or maybe a push in the right direction.
Related
I want to use an a decryption algorithm on the data I receive through REST-API, for that I am storing the secret-key in angular component ts file.
I want to know that after I build and deploy the code. Will my secret key be visible somewhere in the browser, because the built code is pure javascript which is fetched by server.
I am using crypto-js library for decryption of data.
var secret_key = "super-secret";
CryptoJS.AES.decrypt(ciphertext, secret_key)
If you can explain the situation why you need it, may be a chance you can get better way to do it.
There are 3 different ways to achieve it :-
Pass roles/permissions to local storage as well as same time put into session table(or any other table) in backend. Check role/permission every time user request for something to make sure it is not modified.
Store the roles/permission in backend e.g in session table and then provide roles/permission on every request. This way you do not have to worry about any modification by user anytime.
Pass the encrypted (RSA algorithm)roles/permission in cookies and make cookie httpOnly true and secure true, these cookies cannot be accessed/modified as per protocol and then in each request you will have
The best practice here is to execute encrypt/decrypt operation on backend (server-side) and get the decrypted value from you API
Yes it will be visible to individuals looking for it. You should never store secrets in any client-side code.
The key should be acquired from a server once the client authenticates.
Good post on key storage options
https://pomcor.com/2017/06/02/keys-in-browser/
Section 5.2 of WebCryptoAPI discusses a bit about key storage
https://www.w3.org/TR/WebCryptoAPI/
I'm developing a small project in android which is using php webservices' call.
I want my webservices to be protected, however by using GET/POST request methods I don't think its much protected. After googling I got RSA implementation in "phpseclib", Its having good documentation as well. But I'm confused so much, so thought post this here.
Basically what I need is:
from Android I'l call a url with "encrypted parameters merged in one string".
(I'l first encode parameters in json and then I'l encrypt).
those parameters I'l extract in php, and process accordingly.
json string: {user_id:xyz#gmail.com, passwd: Password!}
encrypted to: XsjkhkjwehrkanmNXmnskjawrhjlljahdhuw
eg. http://my.domain.com/webservices/call.php?params=Xsjkhkjwehrkanm,NXmnskjawrhjlljahdhuw
In php, I'l extract userID and Password, from that $_GET['params"']
This is possible in base64_encode(), base64_decode(), but base64 encoder will just obfuscate the string, it won't encrypt actually.
I need public/private key mechanism.
However I've tried this: (https://launchkey.com/docs/api/encryption/php/phpseclib)
<?
function rsa_encrypt($key, $message) {
$rsa = new Crypt_RSA();
$rsa->loadKey($key);
$encrypted = base64_encode($rsa->encrypt($message));
return $encrypted;
}
?>
Its not returning any $encrypted string.
Any help would be really appreciated.
Thanks..! :)
If you're new to encryption, you should go the simple route and just go with HTTPS, as suggested in comments.
Also, as suggested in comments, don't send the passwords via GET from a web page because that shows in the address bar and passers by can read that off the screen.
HTTPS (SSL/TLS) provides end to end encryption of the entire connection between the web server and the client. This allows you to send all your data in clear text and not worry about it because it's being encrypted at a lower level.
Since it's not a web browser calling your web server, you don't even need to pay for an SSL certificate. You can create a self-signed certificate. Just ensure you verify the signature on every connection to prevent man in the middle attacks. This is a bit trickier though, so again, if you're new to this, just pay for the SSL certificate and let Android take care of the certificate verification for you.
In response to your direct question:
Encoding is not encryption, as you may have discovered. Base64 is encoding and provides no security.
You cannot simply generate an RSA public/private key pair, encrypt data with the private key, and send it to your server. You have to first share your public key with the server. Well, anyone who sniffs the public key off the wire can decrypt it.
You could potentially have the client generate a random symmetric key and encrypt it with the server's public key. The server would then decrypt it with the private key, and have a shared secret key to use to encrypt data and send it to you.
The problem with that is an attacker could simply replay all your data to a server to see the same output. These random things need to be generated by the server to ensure they're actually random, so you're stuck with the server generating the key, but if the server simply encrypts with the private key, anyone with the public key could decrypt it.
So, you'd need some method of securely deriving a shared secret key, some complicated mathematical way of sharing some data that both the server and the client could use to calculate the same shared key.
You could do this yourself, but you'll be calling complicated procedures and functions, when you could just use SSL, which does the same thing for you.
I think you can use POST web service to make it more secure and if possible then please don't encrypt parameter just encrypt value of parameter and then also if you face issue then try to retrive value using
$_REQUEST['parameter_name']
I am making an application that will store a Azure SQL server DB user information, including profile photo downloaded from Facebook. On the server side, ASP.NET MVC4'll have a controller that will receive the information and send it to the database.
The client side is Javascript and thought to give the image in json (once converted to base64). Is it a good option? Is it better to directly send the jpg? What are the advantages of sending information in json?
In SQL Server image field would be stored as a nvarchar (max)
Are you going to return the image as a binary stream content type image/jpeg or as a text stream encoded base64? Is far more likely that you're going to do the former, so there is little reason to go through an intermediate base64 encoded transfer. And of course, store them as VARBINARY(MAX). Even if you would choose to store them as base64, choosing an Unicode data type for base64 text is really wasteful, (double the storage cost for no reason...), base64 can fit very well in VARCHAR(max).
But, specially in a SQL Azure environemnt, you should consider storing media in Azure BLOB storage and store only the Blob path in your database.
In my opinion, it's better sending the image directly in .jpg using Multipart Forms or something like that.
Sending information in Json is useful when you transfer explicit data, like collections or objects that you will be able to query or de-serialize later.
The client side is Javascript and thought to give the image in json (once converted to base64). Is it a good option?
As Pasrus pointed out, you are not going to manipulate the image data. So JSON does not seems to be a good choice here.
One option is, you can add the base64 data into src attribute in html tag and send it.
What are the advantages of sending information in json?
Please check this answers and there are so many:
Advantages of using application/json over text/plain?
In SQL Server image field would be stored as a nvarchar (max)
Please refer this link:
Storing images in SQL Server?
I'm building an ASPX website that should allow the user to download a CSV/Excel file (including the 'Save To' dialog). The CSV contains encrypted data - the decryption key is available at user side and should be kept secret against the webservice.
So decryption actually should be performed within the browser, a javascript implementation (sjcl) has proofed to work fine.
But how can the incoming datastream during a file download be influenced? Something like a browser hosted proxy performing the javascript decryption?
#closure: thanks a lot! Ajax is no problem, and the idea
<a href='data:application/csv;base64,aGVsbG87d29ybGQNCg=='>click</a>
is really cool, but it has two problems: it seems not work with IE and it is not the right approach for really huge tables. The solution should be able to handle many thousands of records, therefore we need some sort of download stream encoder/decrypter.
Here are the steps to achieve this:
Instead of downloading the CSV directly to the client machine, fetch it via ajax
Once the data is received in via Ajax, parse the CSV via many available functions on internet. Let me know, if you need help on this. This function will convert the CSV to native Javascript Arrays.
Walk through the Array and covert the encrypted data to unencrypted data. Do it natively in the same Array.
Convert the array to CSV (Again there are functions in public domain)
Make a link (a element) and set the href to local data like data:text/csv;charset=utf-8, + encodeURIComponent(csv)
Present this link to the user and ask him to click on it to save the file locally.
In My website my server will reply raw data(a Jpeg image encrypted using a password) , when the browser receives it can i decrypt(Using the same password) the data into a image and show them as image using JavaScript.
What is the point?
Image will be 'protected' only during transmision from server to the client. Also, to decrypt it as described, password will be saved somewhere on the client side (in javascript). So every one can see the password and algorithm.
If you want to protect data during transmision just access it via https.
First please think over your design and make sure that this is really the way you want to go for. Maybe a ordinary login system with https or htaccess protection would be more suitable.
If you really want to do it the way you described, I would do it the following way:
convert the images to base64 format (wikipedia article), because handling binary data with JavaScript is nasty.
then encrypt your images with AES and a strong key
save the result in your database
when a client wants to access the images you should
send the encrypted images over HTTPS
let him enter the key (or a passphrase which will be hashed,e.g. with SHA512, to the key) in a HTML input field and read it with JavaScript
decrypt the images using a JavaScript AES library, e.g. http://point-at-infinity.org/jsaes/
change the src attribute of your img tag to the decrypted base64 stream.