I'm currently trying to strengthen up the security on a large ASP.NET
application. I use MD5 hashes for the user/password, and a token to 'salt'
the resultant hash. This is secure.
The next step -- and I'm *really* surprised that *everyone* doesn't do
this -- is to prevent 'Evil Eve' from listening in over the network when the
passwords and/or other sensitive information is updated. The best method
here is to use asymetrical encryption using the framework's
RSACryptoServiceProvider. Of course, this won't work on the client because
you have to use JavaScript on the client (forget Java and Activex as these
are out of the question). Therefore I want to implement RSA on the client in
JavaScript.
Having hunted around the internet, I keep drawing a blank here. There are
several implementations of RSA, but none of them are compatible with the
RSACryptoServiceProvider object. The bottom line is there's some enormous
numbers involved here (1024 bits worth!), so there's a shed load of scary
maths involved.
I do have a fallback which basically requires the user to enter their
username and password, to concatinate this to a 'salt' and use this as the
key to use a symetric encription algorithm such as 3DES. I don't like this
because it requires the user to keep re-entering their username/password
(this would be a major pain if you need to update the passwords of lots of
users).
I know that this is effectively reinventing SSL, but SSL isn't an option
for many customers as the certificates are quite expensive and are often
difficult to implement on public, i.e. shared, web servers.
I would *really* appreciate it if someone could point me in the direction of
a JavaScript RSA implementation that works with the
RSACryptoServiceProvider.
TIA,
G.
