473,323 Members | 1,570 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,323 software developers and data experts.

Encryption of post data

I'm looking for ideas on encrypting form data. For example, if a user enters
a password, I would like to encrypt it before it gets posted, then decrypt
it server-side.

The obvious answer for a password is to 1-way hash it. Unfortunately, this
is for data that will not be known ahead of time - I have the requirement of
needing to encrypt any password-style textbox entries, then decrypt them on
the server. This is intended to provide 'better-than-nothing' security when
SSL is not present, and most likely would only be employed over an intranet.

It's my understanding that symmetric algos are fastest, but the problem
there is that the single key to encrypt/decrypt will need to be sent to the
client machine, which means it, along with the post data, is viewable by
anyone snooping.

An asymmetric algorithm, it would then seem, would do the trick. A public
key could be used client-side to encrypt, and then a private key could be
used server-side to decrypt. However, from googling on this, it appears that
javascript might not be up to the task from a performance perspective. I
haven't found any clear answers on this topic.

Any thoughts or direction on this are much appreciated.

TIA,
Pete
Jul 20 '05 #1
12 13015
Peter Young wrote:
I'm looking for ideas on encrypting form data. For example, if a user
enters a password, I would like to encrypt it before it gets posted, then
decrypt it server-side.


http with SSL, AKA https.
--
David Dorward http://david.us-lot.org/
Jul 20 '05 #2
"Peter Young" <yo*****@comcast.no.net.spam.please> wrote in message
news:JwbYa.54410$cF.19329@rwcrnsc53...
I'm looking for ideas on encrypting form data. For example, if a user enters a password, I would like to encrypt it before it gets posted, then decrypt
it server-side.

It's my understanding that symmetric algos are fastest, but the problem
there is that the single key to encrypt/decrypt will need to be sent to the client machine, which means it, along with the post data, is viewable by
anyone snooping.

An asymmetric algorithm, it would then seem, would do the trick. A public
key could be used client-side to encrypt, and then a private key could be
used server-side to decrypt. However, from googling on this, it appears that javascript might not be up to the task from a performance perspective. I
haven't found any clear answers on this topic.

Any thoughts or direction on this are much appreciated.


Here is what you need: You do a normal encoding of the text. You send
the decoding key with the text, but you encode it using public/private key
encryption (with as many bits as the law allows).

The simplest way to do that is to use built-in security: secure sockets and
secure http.

Jul 20 '05 #3
"Steven Dilley" <steven.dilley.at.compuware.com> wrote in message
news:3f********@10.10.0.241...
Here is what you need: You do a normal encoding of the text. You send
the decoding key with the text, but you encode it using public/private key
encryption (with as many bits as the law allows).
Is this so that it performs fast enough, vs. just encrypting everything with
public/private?
The simplest way to do that is to use built-in security: secure sockets and secure http.


I understand that, which is why I said this is intended to provide
'better-than-nothing' security when SSL is not present.

Thanks,
Pete
Jul 20 '05 #4
Peter Young wrote:
I'm looking for ideas on encrypting form data. For example, if a user
enters a password, I would like to encrypt it before it gets posted,
then decrypt it server-side. .... Pete


Not sure if this will help, but here is a link to a javascript MD5 thing....
http://pajhome.org.uk/crypt/md5/

* Encrypt on the client.
* Send encrypted to server.
* Make use of encrypted. (either as is, or MD again)
eg...
md5("password") returns 5f4dcc3b5aa765d61d8327deb882cf99
....then...
md5("5f4dcc3b5aa765d61d8327deb882cf99") = returns
696d29e0940a4957748fe3fc9efd22a3

.... as i say, not sure if this will help, but it may.
Jul 20 '05 #5
> >> http with SSL, AKA https.

As I said in my original post, this is intended to provide
'better-than-nothing' security when SSL is not present.


Yes, but you're being silly, the effort involved in doing this for the
limited security it might give is not worth the effort, when you could
just enable SSL, what is stopping you?


It's not up to me. This is a product that we sell. If the customer wants
true security, we tell them to use SSL. However, they don't all want to use
SSL, yet they expect us to say we've at least tried to make it secure. I
want the implementation to be as secure as possible given that SSL is not
being used. Is that silly? Probably. But in a competitive marketplace, we do
what we have to do to keep the customer's interest.

-Pete
Jul 20 '05 #6
"Peter Young" <yo*****@comcast.no.net.spam.please> wrote in message
news:D6eYa.54979$cF.19380@rwcrnsc53...
"Steven Dilley" <steven.dilley.at.compuware.com> wrote in message
news:3f********@10.10.0.241...
Here is what you need: You do a normal encoding of the text. You send
the decoding key with the text, but you encode it using public/private key encryption (with as many bits as the law allows).
Is this so that it performs fast enough, vs. just encrypting everything

with public/private?


Yes, exactly.
The simplest way to do that is to use built-in security: secure sockets

and
secure http.


I understand that, which is why I said this is intended to provide
'better-than-nothing' security when SSL is not present.


What is the reason for avoiding ssl? Cost? Inconvenience?

--
Steve

Jul 20 '05 #7
you might also find this link useful:

http://simrsa.netian.com/english/

Jul 20 '05 #8
Peter Young wrote:
> http with SSL, AKA https.

As I said in my original post, this is intended to provide
'better-than-nothing' security when SSL is not present.


Yes, but you're being silly, the effort involved in doing this for the
limited security it might give is not worth the effort, when you could
just enable SSL, what is stopping you?


It's not up to me. This is a product that we sell. If the customer wants
true security, we tell them to use SSL. However, they don't all want to use
SSL, yet they expect us to say we've at least tried to make it secure. I
want the implementation to be as secure as possible given that SSL is not
being used. Is that silly? Probably. But in a competitive marketplace, we do
what we have to do to keep the customer's interest.

-Pete


And in this case, doing what's in the customer's best interest would be to
explain to them that any "security" without SSL is not secure and they are
fooling themselves if they think otherwise.

The costs of development on this "security" to this point could have been put
towards purchasing a certificate to enable SSL.

When I discover I am doing business with a company that relies on half-assed
security measures, I move my business elsewhere.

--
| Grant Wagner <gw*****@agricoreunited.com>

* Client-side Javascript and Netscape 4 DOM Reference available at:
*
http://devedge.netscape.com/library/...ce/frames.html

* Internet Explorer DOM Reference available at:
*
http://msdn.microsoft.com/workshop/a...ence_entry.asp

* Netscape 6/7 DOM Reference available at:
* http://www.mozilla.org/docs/dom/domref/
* Tips for upgrading JavaScript for Netscape 6/7 and Mozilla
* http://www.mozilla.org/docs/web-deve...upgrade_2.html
Jul 20 '05 #9
> And in this case, doing what's in the customer's best interest would be to
explain to them that any "security" without SSL is not secure and they are
fooling themselves if they think otherwise.
We do.

The costs of development on this "security" to this point could have been put towards purchasing a certificate to enable SSL.


We aren't the ones buying the certificate. Once again, we build a product
that is sold to many customers. For whatever reason, some of the customers
don't want SSL, but they still want a warm fuzzy from us saying we've done
all we can short of SSL to make it secure.

Steven gave me a very good suggestion elsewhere in this thread, and it looks
like it will work fine.
Jul 20 '05 #10
On Thu, 07 Aug 2003 15:18:29 GMT, "Peter Young"
<yo*****@comcast.no.net.spam.please> wrote:
And in this case, doing what's in the customer's best interest would be to
explain to them that any "security" without SSL is not secure and they are
fooling themselves if they think otherwise.


We do.

The costs of development on this "security" to this point could have been

put
towards purchasing a certificate to enable SSL.


We aren't the ones buying the certificate. Once again, we build a product
that is sold to many customers. For whatever reason, some of the customers
don't want SSL, but they still want a warm fuzzy from us saying we've done
all we can short of SSL to make it secure.


If it's intranet, you don't even need to purchase a certificate, self
signed one with authority pushed out to the desktops, or just ignored.

Jim.
--
comp.lang.javascript FAQ - http://jibbering.com/faq/

Jul 20 '05 #11
> If it's intranet, you don't even need to purchase a certificate, self
signed one with authority pushed out to the desktops, or just ignored.


That's good to know, thanks.

-Pete
Jul 20 '05 #12
> > And in this case, doing what's in the customer's best interest would be to
explain to them that any "security" without SSL is not secure and they are
fooling themselves if they think otherwise.
We aren't the ones buying the certificate. Once again, we build a product
that is sold to many customers. For whatever reason, some of the customers
don't want SSL, but they still want a warm fuzzy from us saying we've done
all we can short of SSL to make it secure.


Security is the bane of the internet. Link encryption does not by itself provide
secure distributed systems, but it is a necessary precondition. SSL provides
link encryption. It has been well tested over many years. It is madness to not
use it in environments that provide it.

Whatever you roll on your own is necessarily less trustworthy than SSL. If your
customers don't want SSL because they don't trust it, they should not be
satisfied by this effort. A better use of resources would be to educate them and
you on secure distributed architecture. False security can be horrendously
expensive.

Jul 20 '05 #13

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Chris | last post by:
Hello all. I'm currently working on a new site that encompasses the registration of members. The registration is taking place through PHP interaction with MySQL. The site is just going to be...
6
by: Richard | last post by:
I'm looking to do my own basic encryption. I've been tyring to do a concept such as: I pass this function the string, key and number of rounds I want to do the encryption. because im round...
9
by: Mike Cronin via DotNetMonster.com | last post by:
Hi there, Can anyone tell me what level of encryption is used when making an HTTPS POST request through an instance of the System.Net.HttpWebRequest object? Thanks much in advance! Mike...
34
by: jlocc | last post by:
Hi! I was wondering if someone can recommend a good encryption algorithm written in python. My goal is to combine two different numbers and encrypt them to create a new number that cann't be...
7
by: helmut woess | last post by:
Hi, has anybody knowledge about the safetyness of encrypting stored procs in SQL-Server 2005 using WITH ENCRYPTION? Or can they be hacked with the same old tools which exists for SQL 2000? ...
113
by: Bonj | last post by:
I was in need of an encryption algorithm to the following requirements: 1) Must be capable of encrypting strings to a byte array, and decyrpting back again to the same string 2) Must have the same...
6
by: larry mckay | last post by:
Hi, Does anyone have any simple text string encryption routines that are easy to implement? I'm trying to prevent users and system administrators from figuring out how I implement things....
25
by: eggie5 | last post by:
I have a form where a user can change his password, but I'm confused on how to prevent this from being transmitted in plain text. Well, I know how not to transmit it in plain text - use any type...
8
by: manmit.walia | last post by:
Hello Everyone, Long time ago, I posted a small problem I had about converting a VB6 program to C#. Well with the help with everyone I got it converted. But I overlooked something and don't...
19
by: klenwell | last post by:
Another request for comments here. I'd like to accomplish something like the scheme outlined at this page here: http://tinyurl.com/3dtcdr In a nutshell, the form uses javascript to hash...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.