Walter Sobchak wrote:
The connection is ssl encrypted and I need to write some sensitive
information in a cookie. I'd like to encrypt the cookie on the client so
it could be decrypted later on the server.
I would usually not perform such a task at the client. The server
could both encrypt the value and set the cookie via a HTTP-header
(still better than document.cookie IMHO).
1. If I use a symmetric algorithm how do I send the encryption key?
If you would use javascript, there is no other choice than making the
key/salt available as plaintext for the script in the web page; thus
making it interceptable for the viewer of the page. I think there can
be little doubt that a server-side solution would be better in this
case.
2. Is there any asymmetric algorithm that doesn't have an impact on
performance?
Encryption is memory-intensive by nature; but I wouldn't care much
about only one en-/decrypt action. The difficuly for asymmetric
cryptography is that there are both the private key (encrypt) and the
public key (decrypt).
A somewhat safe strategy could be to make only the public key
available to the client; so he can only decrypt the cookie with it.
But I believe this would be the opposite of your plan: when you want
to encrypt asymmetrically in javascript, you always need the private
key.
But I think that symmetric cryptography is more recommended in your
scenario (and preferably done at the server).
3. Is there a difference in writing cookies with http an https?
I think https in that case doesn't help.
HTTPS secures the transmission of data along the line, but nothing
more. You are only reasonably safe that nobody can intercept data
between server and client. Most security problems do not relate to
this area.
--
Bart