By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,714 Members | 1,195 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,714 IT Pros & Developers. It's quick & easy.

JAVAScript Public Key Encryption

P: n/a
Hi,

Does anyone knows How "JAVAScript Public Key Encryption" works?

I am trying to secure my web page.
The users are going to be log in to my website.
I want to give them a 4 digit pin, that will match the Private key
generated by JAVAScript Public Key Encryption algorithm. Something
like that.

Thanks
Nov 20 '08 #1
Share this Question
Share on Google+
4 Replies


P: n/a
webmaniac wrote on 20 nov 2008 in comp.lang.javascript:
Does anyone knows How "JAVAScript Public Key Encryption" works?

I am trying to secure my web page.
The users are going to be log in to my website.
I want to give them a 4 digit pin, that will match the Private key
generated by JAVAScript Public Key Encryption algorithm. Something
like that.
You cannot secure your webpage with clientside code, methinks.

You could secure some information on a page, but what the heck,
doing that serverside is better and easier.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Nov 20 '08 #2

P: n/a
On Nov 20, 12:29 pm, "Evertjan." <exjxw.hannivo...@interxnl.net>
wrote:
webmaniac wrote on 20 nov 2008 in comp.lang.javascript:
Does anyone knows How "JAVAScript Public Key Encryption" works?
I am trying to secure my web page.
The users are going to be log in to my website.
I want to give them a 4 digit pin, that will match the Private key
generated by JAVAScript Public Key Encryption algorithm. Something
like that.

You cannot secure your webpage with clientside code, methinks.

You could secure some information on a page, but what the heck,
doing that serverside is better and easier.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Hi Evertjan,

Lets say. Someone got registered at the website, the private key got
generated by the Public key algorithm, Now user has to enter that
Public key to access the system. But the public key is so long & we
dont want the user to remember that big a key. Is there a way we can
convert that key into a 4 digit pin. Do you know any algorithm that
converts that key into a 4 digit pin.

Thanks
Nov 20 '08 #3

P: n/a
webmaniac wrote on 20 nov 2008 in comp.lang.javascript:
Lets say. Someone got registered at the website,
What does thet mean "Someone got registered at the website"
the private key got
generated by the Public key algorithm,
Where is that generating code located, on clientside code?
Now user has to enter that
Public key to access the system.
What system? On the server?
But the public key is so long & we
dont want the user to remember that big a key. Is there a way we can
convert that key into a 4 digit pin. Do you know any algorithm that
converts that key into a 4 digit pin.
var publicKey = [];
publicKey['2641'] = 'ThisisTheVeryLongKeyBlahBlahBlahBlahBlahBlahetc';

Again, as in your subject line, you ask for encription.

Why would you want to encript a public key anyway, as it is public?

And why would you want to do that clientside?

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Nov 20 '08 #4

P: n/a
webmaniac wrote:
>
Lets say. Someone got registered at the website, the private key got
generated by the Public key algorithm, Now user has to enter that
Public key to access the system. But the public key is so long & we
dont want the user to remember that big a key. Is there a way we can
convert that key into a 4 digit pin.
As with most security solutions created by non-experts, and most
applications of cryptography created by non-experts, this is neither
secure nor an appropriate use of cryptographic technology.

Using an asymmetric key pair by itself as an authenticator is a lousy
use of the primitive. It's vulnerable to replay attacks, for example.

If the user's secret is a "public" key, then it's not secret, by
definition. So your scheme makes no sense anyway. (Perhaps you meant
that the user supplies the private key.)

It's not clear why you think you need an asymmetric primitive at all.
What are you gaining over a shared secret, or a secret and a verifier
such as a cryptographic hash? Those are much more common
authentication mechanisms.

As Evertjan already pointed out, client-side security is rarely
useful. If the user is verified by the client, the server has no
grounds for trusting the verification.

Can you reduce an asymmetric key to a 4-digit PIN? Sure. You can
reduce it to a 1-digit PIN, too. But it would be stupid to do so.
Decimal PINs are hard for users to remember, they're inconvenient to
enter on systems that don't have numeric keypads, and they have little
entropy (less than 14 bits for a 4-digit decimal PIN). If your system
has any vulnerability that an attacker can exploit to guess PINs (and
I bet it does), then it only takes an average of 5000 attempts to
break it for a given user.

In short: don't do this. Either employ an actual security expert to
secure your site, or purchase a decent off-the-shelf package for it.

--
Michael Wojcik
Micro Focus
Rhetoric & Writing, Michigan State University
Nov 21 '08 #5

This discussion thread is closed

Replies have been disabled for this discussion.