I want to encrpyt my password and username from client side and decrypt it at server side(Asp.net core) with RSA(Or any other asymmetric algorithms). I am gonna send public key from server side so I don't need to create a public key at client side only need to encrypt it.
I am trying something like this..
var encrypt = new JSEncrypt();
encrypt.setPublicKey($('#pubkey').val());
var encrypted = encrypt.encrypt($('#input').val());
but it says JSEncrypt is not defined normally. But I don't know how to include this propery at my code.
https://github.com/travist/jsencrypt in here there is a good explanation but still I couldn't manage to do it. Also I really need a simple thing for just encryption with a known public key.
Edit 1: I am using https already but I still need to do it unfortunately.
Related
I am using Hyperledger Fabric V1.4 on my project. I have enrolled and registered users. And now I want to transfer files between users while remain private, which means I need to encrypt the file so that only the receiver can see. For example, user A wants to send a file to user B. The basic workflow I'm thinking right now is that:
User A and B register in the Hyperledger Network and get public/private keys.
User A uploads a file in IPFS and gets a hash from IPFS. (Since everyone with the hash can access the file, we need to encrypt the file hash.)
Encrypt the file hash with user B's public key.
Send the encrypted hash to user B.
User B receives the encrypted hash and uses B's private key to decrypt the hash, and gets the IPFS file hash. Then B can view the hash using IPFS.
Problems I'm having:
In step 3, how to get a user's public key? I only found ways to get certificate and private key. Or can I get public key from the certificate?
Is there an algorithm to encrypt files/strings using Hyperledger-generated public and private keys?
Thank you!
Yes it is possible something similar, but with ECDSA it does not work this way. You do not encrypt with the user B's public key. What you do is to derive a symmetric key from user B's public key and user A's private key in a way the same symmetric key is derived from user A's public key and user B's private key. It is known as ECDH. I haven't here an example in Javascript (you can search it the same way I would), but to understand it, take a look a give a try to the example (with OpenSSL) in https://jameshfisher.com/2017/04/14/openssl-ecc/.
You can get the public key from the certificate (it is embedded in the certificate) or derive it from the private key. Choose your way.
NOTE: I find more secure encrypting the content before storing it in IPFS and share the hash than encrypting the hash.
EDIT: For nodejs, you can try this: https://www.npmjs.com/package/eccrypto. It seems it includes also some similar to what you were looking for initially.
Say I have some Form's authentication Cookie:
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
"TESTTEST",
DateTime.Now,
DateTime.Now.AddMinutes(30),
false,
String.Empty,
FormsAuthentication.FormsCookiePath);
Normally in C# we can decrypt this like so:
var authToken = FormsAuthentication.Decrypt(authCookie.Value);
I'm creating a tool for testing an I want to decrypt the cookie on the client-side.
If my machine key is: GHFDK45sDFGSKj234 How can I decrypt the Authentication from Javascript?
First you need to know the algorithm that the forms authentication is using. Then you need to find a javascript library that can decrypt that algorithm
I like to implement mechanisam where string on Cliend Browser encrypted using key before page post to server and then I can use server side C# code to decrypt that posted string using the same Key.
I am generating unique key on each page request using Random class.
ASPX File
<asp:TextBox runat="server" ID="txtData" ClientIDMode="Static"></asp:TextBox>
<asp:HiddenField runat="server" ID="ClientKey" ClientIDMode="Static"/>
<asp:Button runat="server" Text="Submit" OnClick="OnClick" OnClientClick="return EncryptData();"/>
EncryptData()
function EncryptData() {
var plaintext = $('#txtData').val();
var secret = $('#ClientKey').val();
var encrypted;// Encrypt(plaintext, secret);
$('#txtData').val(encrypted);
return true;
}
C#
protected void Page_Load(object sender, EventArgs e)
{
if (!Page.IsPostBack)
{
int key = new Random().Next();
ServerKey = key;
ClientKey.Value = key.ToString();
}
}
protected void OnClick(object sender, EventArgs e)
{
// Decrypt(txtData.Text, ServerKey.ToString()));
}
Update 1
I have seen same mechanisam on HDFC bank Login page where they first encrypt user's password and then post the form.
After some thought, here is what I propose you could do. Lets here from everyone else on what they think as well.
Create an additional key. a passphrase(probably a question and answer kind of thing, mothers name or pet name etc) and use that as the key for encrypting or decrypting.
So while logging the user will input
User Name
Password
A prerecorded question's answer which is stored on
server side already during registration
On submit.
encrypt the password with answer to the prerecorded question.
when it is received in the server side decrypt the password with answer for the prerecorded question stored in server side(a database).
If the password matches allow or otherwise deny services.
This way anyone who intercepts your request to login to the server side will not have the key to decrypt. And as mentioned by smoksnes use https for additional security
I would reconsider the usage of what you are doing. You are encrypting something with a key, and then you send that thing to the server together with the key. Sure, it will be harder to read the value and it might frighten some low-level sniffers, but it isn't secure. It's security by obscurity.
Think of it like this. Alice wants to send a loveletter to Bob, but Alice don't want anyone else than Bob to read the loveletter so she puts it in a safe. Thinking that the loveletter is safe she mails it to Bob. But she remembers that Bob cannot open the safe, so in the same package she also puts the key to the safe.
The problem here is that the post office, or any other with access to the package, can open the safe. In this analogy Alice is the client (web browser, javascript), the internet wire is the post office and the server is Bob.
There are ways to encrypt it using javascript. Such as:
http://point-at-infinity.org/jsaes/
https://code.google.com/archive/p/crypto-js/
And if you still want to encrypt the data on client side, which there's no harm in doing, I would avoid sending the key in the request back to the server. It should be enough for the server to send it to the client. Then the client shouldn't have to send it back. Instead you can store in session on server side. This way you can at least make the man-in-the-middle-threat a little smaller.
But in this scenario I would use https for sending the data instead.
The HTTPS uniform resource identifier (URI) scheme has identical
syntax to the standard HTTP scheme, aside from its scheme token.
However, HTTPS signals the browser to use an added encryption layer of
SSL/TLS to protect the traffic. SSL/TLS is especially suited for HTTP
since it can provide some protection even if only one side of the
communication is authenticated. This is the case with HTTP
transactions over the Internet, where typically only the server is
authenticated (by the client examining the server's certificate).
One may argue that https can be cracked as well, but it's still a better choice for sending sensitive data.
I'm trying to create a message system with JavaScript and PHP / MySQL. I have a form with two input elements (recipient id, message content). I'm using MVC (Zend Framework 1). The form post data is send to my controller and stored in the database.
Now I want to encrypt the message before it is sent. I want to keep it user-friendly, so my idea was to use RSA (private / public key). The idea was that a private key was generated on user log in and stored in the cookies, to make sure that the private key is only on the user's machine. The public key could be stored in the user's table, so that any user, who want to send a message to him, can encrypt the data.
It is important that the key-pair is generated by the user's password. If it's random generated, it would not be possible to use multiple systems to log in, because the private key would change everytime. So that would be the mechanism to make sure, that he will always have the same private key, until he is changing his password.
I tried a few JavaScript libraries. cryptico seemed to be the right choice, because it generates private / public key by password. The problem here is, that I can not store the private key and not even look into the value.
They have an example on the website
// The passphrase used to repeatably generate this RSA key.
var PassPhrase = "The Moon is a Harsh Mistress.";
// The length of the RSA key, in bits.
var Bits = 1024;
var MattsRSAkey = cryptico.generateRSAKey(PassPhrase, Bits);
When I try to output MattsRSAkey, I only get [Object object]. It's the same when I store it in the Cookies. I tried to use JSON.stringify. With this function I can store and look inside MattsRSAKey. But when I want to use it later to decrypt the message, I get an error, that I have no valid public key. I think the private key got broken while storing it. When I read the private key from Cookies I use JSON.parse.
Is there any way to solve my problem? I just want to send encrypted messages from multiple users (public key) to one user (private key). My intention is not to have a secure transport but to store the messages encrypted in the database, so that unauthorized persons can not read it. It is important that I do not only have encryption for one-to-one messaging. This would be easy, because both users only would need to share a password for encryption.
There's a couple of things wrong here.
First, you're trying to store a Javascript object directly in a cookie. This won't work: cookies can only store string values. You will need to serialize the key to a string to store it in a cookie; unfortunately, it doesn't appear that the cryptico library exposes any methods to do this, so you will need to either implement a custom serializer, or use another cryptographic library.
Second, you are storing private cryptographic key data in cookies. This is perhaps the worst possible place to store this, as cookies are sent to the web server on every request. Local storage is much more appropriate here, as it is only accessible from Javascript code.
I want to configure my Node app to decode public key encrypted messages POST'ed to it using its private key. The private key is in PEM format.
I wanted to use a javascript only solution on the server side for maximum portability (hence ursa is out), this appear to leave node-bignumber ( on the phone app side, I will be using C# and probably something like Scrypt). The single example given for node-bignumber seems to work well so long as yo use the Key method to generate the certificate, however I already have certificates (the public one installed in my phone app and the private one used by my server) - how do I get this into a format recognised by the the library?
I admit I am totally new to NodeJS and javascript and would greatly appreciate any more general advice you may have in providing backends for phone apps ...