Does anyone know how to encrypt in javascript (maybe with sjcl?), post to a webapp and decrypt with java?
I wish to intercept some of a form data, encrypt it and then post to my spring application. ? already use jasypt PBEWITHSHA256AND128BITAES-CBC-BC algorithm for database encryption.
Any client-based symmetric encryption algorithm is likely going to be hackable since the code and keys is all sitting right there in the web page.
Wouldn't it be better to just use https to deliver the data to your server (the transport will be encrypted by https) and then do whatever final encryption you want on the server before storing it or passing to your spring application?
Answering my own question: I've found the precious jCrypting javascript library (based on jquery) and developed a spring integration (https://gitorious.org/jcryptingspring)
Related
I have searched all over the internet for the last days and not found a single example without it saying it's not safe and the same thing everywhere.
But also couldn't find cases like my use case so I had to ask it for myself.
The scenario: I have a backend which on only some of the data it sends I need some sort of extra security so other people won't be using my api publicly, I have successfully used Laravel's Crypto for encryption on backend and CryptoJs for decryption on the frontend.
So my only problem is where to store my larave's key which is used for AES encryption and decryption on frontend.
What I have already tried (or thought of):
.env files, they get included in the bundle anyways so what's the point.
Any obfuscation sound to be pointless.
I probably should use WebCrypto (https://stackoverflow.com/a/24677597/10268067) but couldn't get anywhere with it. (I just heard of it).
I need some suggestions, even if there was a secure way of storing my encryption key, I don't think there is a way to do it directly so I have to request my api for this encryption key at some point but where? If I have a route specifically for this purpose I don't think the hackers are too stupid to find that, heck I can even find that with interception of the requests and responses!
So I basically have two problems:
How to request the server somehow randomly or in anyways that hackers can hardly ever find my encryption key in the requests.
How to save in on js side of browser securely, for instance I decided to use Secure Store for my mobile app's version of this exact problem, but on the web I'm so lost!
Just to be clear, encryption happens on the backend, decryption (with the same key) happens on the frontend.
I have a backend which on only some of the data it sends I need some sort of extra security so other people won't be using my api publicly
Cryptography is not the solution for this. Big companies use API tokens and refresh tokens in order to accomplish this.
The solution you are looking for is called refresh tokens used along with the API tokens.
I am building a service which is using a powerful client-side script to execute actions. All communications with a server are done via WebSockets. I am looking for a way to protect information which is transferring between server and client, so nobody with beginning/medium knowledge in Chrome debugging and HTTP scrapping can simply decode these data. The script itself will be deeply obfuscated.
I read there are some RSA libraries for javascript to encrypt/decrypt data, but I hear like RSA is old and slow and that's why I need someone's advice who is the guru in such things. I need for simple MIT library, no need for paid solutions and giant-sized packages.
I am looking for a way to protect information which is transferring between server and client,
That is SSL (https) for. There is no reason not to use SSL
so nobody with beginning/medium knowledge in Chrome debugging and HTTP scrapping can simply decode these data. The script itself will be deeply obfuscated.
Often it is not so effective. If data are user entered or displayed, there is no reason to encrypt them. If data are provided from the server and not to be displayed, you can encrypt the data properly on the server side.
client-side encryption is usually feasible if you want to store or resend data encrypted or signed to other systems.
Usually adding more complexity doesn't add security.
I read there are some RSA libraries for javascript to encrypt/decrypt data
Just search for some https://gist.github.com/jo/8619441 or there is CryptoWebAPI https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API
the issue is - are you sure you need RSA? How would you manage and exchange keys? How would you ensure key authenticity?
but I hear like RSA is old and slow
RSA is old and slow and yet used and secure (when implemented properly). RSA is used along other (symmetric) ciphers to ensure speed and effectiveness. It is called hybrid cryptosystem
There are two used asymetric systems, RSA and ECC. Regardless that using ssl will ensure confidentiality and integrity, in most of the cases you would need to really justify using RSA on the client side
I have an app using HTML5 caching for an "offline mode". When the app is offline, data is stored via javascript in localStorage to be sent to the server when the app comes back "online". I would like to run some of this data through an encryption before sticking it in localStorage in a way that can only be decrypted on the server.
I was thinking that a public/private key would be the way to do this. Is that a reasonable way to go about things? Are there any good javascript libraries for handling this sort of thing client-side? Are there good ruby/rails libraries/gems for handling this server-side?
If you only want to encrypt data in localStorage, you can use public key cryptography. Don't generate the keys in JS, do it server side, and send the public key with the page. Unfortunately, I don't know any well tested and maintained crypto library in Javascript.
For the level of security you're aiming at (just a little layer to prevent the user from reading the data), you can choose whatever implementation you want.
On server side, you can use the OpenSSL gem with the class OpenSSL::PKey::RSA.
For anyone else reading this: Don't use Javascript crypto, it's bad!
For handling this client side, there is the handleStorage plugin for jQuery, which is really easy to use, but is GPL. If you cannot use that due to licensing issues, you can combine the jStorage jQuery plugin with the blowfish jQuery plugin.
Normally, if I complete a form, the data will be sent to the server as raw plain text which could be read by sniffers.
I want to encrypt form's data client-side (like username, password,...) and then send them to the server.
It seems that there are two ways:
1- Using SSL (in my scenarion, I can't use)
2- Using custom ActiveX control.
3- Using server side dynamic javascript encryption function.
Which one is better or any other solution?
If you can't use SSL, which is the only sane option here IMHO, you must use client-side public key encryption with javascript, because symmetric encryption would require a key exchange over an insecure channel, which kind of defeats the purpose.
I haven't tried it myself, but I found this library for doing RSA encryption in javascript.
Server-side encryption won't work, because it wouldn't solve the problem (plaintext data being transmitted from the client to the server). What you would need is a javascript implementation of an asymmetrical encryption algorithm. Something like RSA. The server can provide the client with the public key, which would be used to encrypt the form data before it's sent, and then can use the private key to decrypt the data after it's been received.
Hey everyone, I am researching a project where we would need to keep a value encrypted from the client all the way to a black box system without decrypting it at any point in between. We are using SSL between the browser and web server, but the values are automatically decrypted at the web server, which is what we need to keep from happening. We need to be able to pass it through the web server (still encrypted) and through other back end systems until it hits its final destination where it would be decrypted.
So my question is what options are available to us for maintaining an encrypted state for a value from the browser back, without decrypting it anywhere along the way?
Thanks
Mark
Have you thought about doing a simple RSA encryption on the values and sending that through the system? You will need to make sure the clients have the public key in which to encrypt the data with, but that would be easy and secure enough to pass around.
To my knowlege, most libraries out there will support RSA. A nice demo of how to do it purely in Javascript can be found here.
you'll want to take a look at public key encryption. SSL protects your session (browser <-> server) but not the full transport. i'd suggest encrypting your data once it's received from the client, then sending the encrypted data all the way in.
here's a terrible diagram outlining the flow of data
client browser web server random server blackbox
route ---- SSL -------------><------------- not encrypted ------->
data *-------- PGP/GPG encrypted --------->
basically your data is encrypted via SSL to the web server, where it is PGP/GPG encrypted, then sent downstream. SSL doesn't matter at this point (or at least, isn't the primary form of encryption).
unless you can guarantee javascript in your environment, it may be better to encrypt at the web server to make sure your data is secure if the user has javascript off for some reason.
If you use a binary type in your database, the web server should send it as-is. Your client can then encrypt the data before inserting it, and would then have to decrypt the data after fetching it. Neither the web server nor the database server itself would be able to view the data.
The black box system, by definition, can't decrypt the data unless it was built to do that. I'll suggest discussing the problem with the developers of the black box system.