I'm looking for ideas on encrypting form data. For example, if a user enters
a password, I would like to encrypt it before it gets posted, then decrypt
it server-side.
The obvious answer for a password is to 1-way hash it. Unfortunately, this
is for data that will not be known ahead of time - I have the requirement of
needing to encrypt any password-style textbox entries, then decrypt them on
the server. This is intended to provide 'better-than-nothing' security when
SSL is not present, and most likely would only be employed over an intranet.
It's my understanding that symmetric algos are fastest, but the problem
there is that the single key to encrypt/decrypt will need to be sent to the
client machine, which means it, along with the post data, is viewable by
anyone snooping.
An asymmetric algorithm, it would then seem, would do the trick. A public
key could be used client-side to encrypt, and then a private key could be
used server-side to decrypt. However, from googling on this, it appears that
javascript might not be up to the task from a performance perspective. I
haven't found any clear answers on this topic.
Any thoughts or direction on this are much appreciated.
TIA,
Pete
12  13046 
Peter Young wrote: I'm looking for ideas on encrypting form data. For example, if a user
enters a password, I would like to encrypt it before it gets posted, then
decrypt it server-side.
http with SSL, AKA https.
--
David Dorward http://david.us-lot.org/
"Peter Young" <yo*****@comcas t.no.net.spam.p lease> wrote in message
news:JwbYa.5441 0$cF.19329@rwcr nsc53... I'm looking for ideas on encrypting form data. For example, if a user
enters a password, I would like to encrypt it before it gets posted, then decrypt
it server-side.
It's my understanding that symmetric algos are fastest, but the problem
there is that the single key to encrypt/decrypt will need to be sent to
the client machine, which means it, along with the post data, is viewable by
anyone snooping.
An asymmetric algorithm, it would then seem, would do the trick. A public
key could be used client-side to encrypt, and then a private key could be
used server-side to decrypt. However, from googling on this, it appears
that javascript might not be up to the task from a performance perspective. I
haven't found any clear answers on this topic.
Any thoughts or direction on this are much appreciated.
Here is what you need: You do a normal encoding of the text. You send
the decoding key with the text, but you encode it using public/private key
encryption (with as many bits as the law allows).
The simplest way to do that is to use built-in security: secure sockets and
secure http.
"Steven Dilley" <steven.dilley. at.compuware.co m> wrote in message
news:3f******** @10.10.0.241... Here is what you need: You do a normal encoding of the text. You send
the decoding key with the text, but you encode it using public/private key
encryption (with as many bits as the law allows).
Is this so that it performs fast enough, vs. just encrypting everything with
public/private?
The simplest way to do that is to use built-in security: secure sockets
and secure http.
I understand that, which is why I said this is intended to provide
'better-than-nothing' security when SSL is not present.
Thanks,
Pete
Peter Young wrote: I'm looking for ideas on encrypting form data. For example, if a user
enters a password, I would like to encrypt it before it gets posted,
then decrypt it server-side.
.... Pete
Not sure if this will help, but here is a link to a javascript MD5 thing.... http://pajhome.org.uk/crypt/md5/
* Encrypt on the client.
* Send encrypted to server.
* Make use of encrypted. (either as is, or MD again)
eg...
md5("password") returns 5f4dcc3b5aa765d 61d8327deb882cf 99
....then...
md5("5f4dcc3b5a a765d61d8327deb 882cf99") = returns
696d29e0940a495 7748fe3fc9efd22 a3
.... as i say, not sure if this will help, but it may.
> >> http with SSL, AKA https.
As I said in my original post, this is intended to provide
'better-than-nothing' security when SSL is not present.
Yes, but you're being silly, the effort involved in doing this for the
limited security it might give is not worth the effort, when you could
just enable SSL, what is stopping you?
It's not up to me. This is a product that we sell. If the customer wants
true security, we tell them to use SSL. However, they don't all want to use
SSL, yet they expect us to say we've at least tried to make it secure. I
want the implementation to be as secure as possible given that SSL is not
being used. Is that silly? Probably. But in a competitive marketplace, we do
what we have to do to keep the customer's interest.
-Pete
"Peter Young" <yo*****@comcas t.no.net.spam.p lease> wrote in message
news:D6eYa.5497 9$cF.19380@rwcr nsc53... "Steven Dilley" <steven.dilley. at.compuware.co m> wrote in message
news:3f******** @10.10.0.241... Here is what you need: You do a normal encoding of the text. You send
the decoding key with the text, but you encode it using public/private
key encryption (with as many bits as the law allows).
Is this so that it performs fast enough, vs. just encrypting everything
with public/private?
Yes, exactly. The simplest way to do that is to use built-in security: secure sockets
and secure http.
I understand that, which is why I said this is intended to provide
'better-than-nothing' security when SSL is not present.
What is the reason for avoiding ssl? Cost? Inconvenience?
--
Steve
Peter Young wrote: > http with SSL, AKA https.
As I said in my original post, this is intended to provide
'better-than-nothing' security when SSL is not present.
Yes, but you're being silly, the effort involved in doing this for the
limited security it might give is not worth the effort, when you could
just enable SSL, what is stopping you?
It's not up to me. This is a product that we sell. If the customer wants
true security, we tell them to use SSL. However, they don't all want to use
SSL, yet they expect us to say we've at least tried to make it secure. I
want the implementation to be as secure as possible given that SSL is not
being used. Is that silly? Probably. But in a competitive marketplace, we do
what we have to do to keep the customer's interest.
-Pete
And in this case, doing what's in the customer's best interest would be to
explain to them that any "security" without SSL is not secure and they are
fooling themselves if they think otherwise.
The costs of development on this "security" to this point could have been put
towards purchasing a certificate to enable SSL.
When I discover I am doing business with a company that relies on half-assed
security measures, I move my business elsewhere.
--
| Grant Wagner <gw*****@agrico reunited.com>
* Client-side Javascript and Netscape 4 DOM Reference available at:
* http://devedge.netscape.com/library/...ce/frames.html
* Internet Explorer DOM Reference available at:
* http://msdn.microsoft.com/workshop/a...ence_entry.asp
* Netscape 6/7 DOM Reference available at:
* http://www.mozilla.org/docs/dom/domref/
* Tips for upgrading JavaScript for Netscape 6/7 and Mozilla
* http://www.mozilla.org/docs/web-deve...upgrade_2.html
> And in this case, doing what's in the customer's best interest would be to explain to them that any "security" without SSL is not secure and they are
fooling themselves if they think otherwise.
We do.
The costs of development on this "security" to this point could have been
put towards purchasing a certificate to enable SSL.
We aren't the ones buying the certificate. Once again, we build a product
that is sold to many customers. For whatever reason, some of the customers
don't want SSL, but they still want a warm fuzzy from us saying we've done
all we can short of SSL to make it secure.
Steven gave me a very good suggestion elsewhere in this thread, and it looks
like it will work fine. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Chris |
last post by:
Hello all.
I'm currently working on a new site that encompasses the registration
of members. The registration is taking place through PHP interaction
with MySQL. The site is just going to be for my friends and I, but I
have run into an issue that I have often wondered about before. Any
insight would be appreciated.
The database contains semi-sensitive information. Not CC numbers, but
think more like usernames/passwords to other...
|
by: Richard |
last post by:
I'm looking to do my own basic encryption. I've been tyring to do a
concept such as:
I pass this function the string, key and number of rounds I want to do
the encryption. because im round shifting the bits the decryption
doesn't work.. :P
Am I going about this all wrong or does anybody know an easier way
(besides getting an open source algo class such as Crypto++)
I'm super new to fooling with the bits/encryption
|
by: Mike Cronin via DotNetMonster.com |
last post by:
Hi there,
Can anyone tell me what level of encryption is used when making an HTTPS
POST request through an instance of the System.Net.HttpWebRequest object?
Thanks much in advance!
Mike Cronin
Data On Call - Programmer
|
by: jlocc |
last post by:
Hi!
I was wondering if someone can recommend a good encryption algorithm
written in python. My goal is to combine two different numbers and
encrypt them to create a new number that cann't be traced back to the
originals.
It would be great if there exists a library already written to do this,
and if there is, can somebody please point me to it??
|
by: helmut woess |
last post by:
Hi,
has anybody knowledge about the safetyness of encrypting stored procs in
SQL-Server 2005 using WITH ENCRYPTION? Or can they be hacked with the same
old tools which exists for SQL 2000?
thanks,
Helmut
| | |
by: Bonj |
last post by:
I was in need of an encryption algorithm to the following requirements:
1) Must be capable of encrypting strings to a byte array, and decyrpting
back again to the same string
2) Must have the same algorithm work with strings that may or may not be
unicode
3) Number of bytes back must either be <= number of _TCHARs in *
sizeof(_TCHAR), or the relation between output size and input size can be
calculated simply. Has to take into account the...
|
by: larry mckay |
last post by:
Hi,
Does anyone have any simple text string encryption routines that are
easy to implement? I'm trying to prevent users and system
administrators from figuring out how I implement things.
thanks
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
|
by: eggie5 |
last post by:
I have a form where a user can change his password, but I'm confused
on how to prevent this from being transmitted in plain text.
Well, I know how not to transmit it in plain text - use any type of
encryption, but then the problem is, how do I decrypt it on the server
to store it?
If I use some type of key based encryption, the how do I get the key
to the client without it being intercepted, rendering the whole
process useless.
|
by: manmit.walia |
last post by:
Hello Everyone,
Long time ago, I posted a small problem I had about converting a VB6
program to C#. Well with the help with everyone I got it converted.
But I overlooked something and don't understand why it is doing this.
Below is my code, I would be greatfull if someone can guide me through
the right path or even help me solve this issue.
Problem: The old tool which was written in VB6 works perfect. But I
needed to convert this to C#...
|
by: klenwell |
last post by:
Another request for comments here.
I'd like to accomplish something like the scheme outlined at this page
here:
http://tinyurl.com/3dtcdr
In a nutshell, the form uses javascript to hash (md5) the password
field using a random one-time salt (nonce) -- generated by php and
pasted in the form -- that is then posted with the hashed password
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| | |
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
