Hey i'm working on an angular 4 project and i need to encrypt and decrypt data using private and public keys , i found cryptojs library but it didn't had this type of data encryption/decryption, Is there any way to do it using this library , or another ?
Data is not encrypted with asymmetric encryption, rather symmetric encryption such as AES is used.
Asymmetric encryption is very slow and the data size it can encrypt must be less than the key size. Symmetric encryption is fast and AES has essentially no data size limit.
If asymmetric encryption (public/private key pair) is required and the data is larger then the asymmetric key size the general solution is to use hybrid encryption.
Related
Is it possible (for example, using some library) to encrypt a secret using two keys in such a way that each of these keys (separately) is able to decrypt this secret.
I am developing SPA in angular and the specific requirement from customer to use RSA 2048 for authentication. I am a bit skeptical how the authentication token would get generated. I believe the token would generate at the server side and it's server's responsibility to verify against the encrypted credentials.
Am I wrong in my thinking? Has anyone tried with 2048 RSA authentication earlier?
So this is how it will work,
Generated a public & private key using a salt key & 2048 bits.
Public key is kept within the source code to generate a cipher text.
Private key is kept on server to decrypt the cipher text.
Server will decrypt both the stored password ( already encrypted) with the login password ( encrypted).
If both decrypted cypher texts are equal , server will send the auth-key otherwise request is failed.
Is there any solution for secure user registration and authentication without SSL?
With "secure" I mean safe from passive eavesdropping, not from man-in-the-middle (I'm aware that only SSL with signed certificate will reach this degree of security).
The registration (password setup, i.e. exchanging of pre-shared keys) must be also secured without SSL (this will be the hardest part I guess).
I prefer established and well tested solution. If possible, I don't want to reinvent the wheel and make up my own cryptographic protocols.
Thanks in advance.
For logging in you could try SRP from clipperz:
I'm not sure how strong the random number generator they use is. You might want to try and use the Crypto API to get stronger values. I'm not sure how you can get secure seed values in javascript without using Crypto API.
For sending initial password to server you could use public key encryption. So the server sends the client its public key (ok under the no mitm assumption) and the client encrypts the whole registration request when registering. Cipperz has support for public key encryption but in a very raw form. Often you use public key encryption to encrypt a randomly generated symmetric key and use the symmetric key to encrypt the payload. You have to be quite careful with padding/etc to make public encryption properly secure. I don't know of any robust public key crypto libraries for javascript.
You may want to check out jsbn for public key encryption because it looks like it does padding correctly. Though, I suspect it suffers from insecure random number generation. It would be a good idea to use Crypto API or make the user bang the keyboard to generate some entropy. Snippet from rng.js
// For best results, put code like
// <body onClick='rng_seed_time();' onKeyPress='rng_seed_time();'>
// in your main HTML document.
I need a javascript library which can decrypt AES data. I've found some libraries, like:
http://www.movable-type.co.uk/scripts/aes.html
http://point-at-infinity.org/jsaes/
But none of them support a IV key (Initialization Vector).
The reason i need that is because some C#.NET server is sending me data which is encrypted with AES and it also uses a IV key.
Now i need to decrypt that message with Javascript somehow, but couldn't find any library which supports the Initialization Vector. So does anyone know a javascript library which supports this too for decrypting?
The IV is not strictly a feature of AES. It depends on the mode of operation. The first link only implements CTR mode, and the second doesn't use any mode (it just encrypts one block).
You should check what mode is used by your server.
If it is CBC, you should be able to implement it over an AES implementation without any problem.
And now for the fun question: why do you have a server encrypting data to send it to JS? It doesn't add any security: JS is always executed in an unsafe environment (cf http://www.matasano.com/articles/javascript-cryptography/ for more information).
Normally, if I complete a form, the data will be sent to the server as raw plain text which could be read by sniffers.
I want to encrypt form's data client-side (like username, password,...) and then send them to the server.
It seems that there are two ways:
1- Using SSL (in my scenarion, I can't use)
2- Using custom ActiveX control.
3- Using server side dynamic javascript encryption function.
Which one is better or any other solution?
If you can't use SSL, which is the only sane option here IMHO, you must use client-side public key encryption with javascript, because symmetric encryption would require a key exchange over an insecure channel, which kind of defeats the purpose.
I haven't tried it myself, but I found this library for doing RSA encryption in javascript.
Server-side encryption won't work, because it wouldn't solve the problem (plaintext data being transmitted from the client to the server). What you would need is a javascript implementation of an asymmetrical encryption algorithm. Something like RSA. The server can provide the client with the public key, which would be used to encrypt the form data before it's sent, and then can use the private key to decrypt the data after it's been received.