I want to encrypt my password using sha256 on jsp page itself using javascript to protect various security attacks and send this encrypted password to spring controller. But I am not able to get hashed string generated.
This is my javascript code. First alert is coming but not the second one. Do i need to include any jar or js for sha256 to work?
document.getElementById('loginButton').onclick = function() {
var txt_string = document.getElementById('loginPassword').value; // gets data from input text
alert('normal password is' + txt_string);
// encrypts data and adds it in #strcrypt element
var hashedpassword = SHA256(txt_string);
alert('hashed password is' + hashedpassword);
return false;
}
SHA256 is not included by default by javascript you need to use a library, quick google search give this page http://www.movable-type.co.uk/scripts/sha256.html you can also take a look at this question Are there any SHA-256 javascript implementations that are generally considered trustworthy?
Related
I have written an input form (in ServiceNow) for admins to request a new certificate via a Cert Authority integration. However prior to submission i want to validate the Certificate Signing request has the correct headers and a keylength of 2048.
Example of CSR:
-----BEGIN CERTIFICATE REQUEST-----
MIICpTCCAY0CAQAwYDEqMCgGCSqGSIb3DQEJARYbamFtZXN0b21saW5zb25AbmJu
Y28uY29tLmF1MSUwIwYDVQQDDBxTZXJ2aWNlTm93LlRlc3QuSnVseTIxLkxvY2Fs
MQswCQYDVQQGEwJBVTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKpd
VbZG3Ph+UdiOYh+zFqH6pIavANGytWcvEnloG/DboW+JxpWQBqmZqvOZgWnPyC06
wS4f/YpElLFX83/+jLc6Gt3B/QDgfxhGaVnurDx56RvTM1LQVfBZJ3l+OYUmAof+
YB25aRhKQ4krWvXGMUujoi5QSl9yNZlAIzgpjgJ7cRHcbUhlOdcQVz/WnC2dcWB3
H/vLPIzciODOrzwIq1lSJ3OkdOJJ23Ifu19e9ySJsWYoC28THm6Ub8Z9gHHlPTfO
im5UxZFBZjLkx/YphQNNqcMxFMCO/CDo1bZlggws61O2liPzC8LpGwkroYIxngoQ
5rbvm/uyG/HelAFZYT0CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCouy3b62xV
Bu4Scd38HMgtaTCHOndutsuwNnYF6SpxdSTYYMVQIa+gHy3N4vpQ+lNboPlOhsQd
58Jt9iwnmYCR32d36FVmsIpu5xAwweQUBK5v/GIPx5yjY0k8bTFC3vJUsIxbClwC
UtUE5p7p+Ulm+4olk/+VYeKtvE+l+e89NQ4sBlOE5JVSulRsxLjRfQscvj/0Ln/7
7iZQxfgL/Vv1UUBiLfTEmfSyu5i7IomoAUBSJ9xipbh5OWolqHzIBmpQY504Es3X
Ojs9d6KwyCSu5S2yUoj98C+OidqkHXDSfwWQSCfWn1vCuTFQlFS5viYK2pzIjozE
71owCWT8RpGd
-----END CERTIFICATE REQUEST-----
I plan to write a quick client side script to validate the input, but i'm a little stumped on the syntax. Any help appreciated.
This will be very difficult to do up...
Checking the CSR headers is relatively straight forward... you can do something like the following in an onSubmit script
var totalString = g_form.getValue('fieldName').trim();
var headerString = totalString.slice(0, 35);
var encodedCertString = totalString.substring(35, totalString.length - 33);
var footerString = totalString.slice(totalString.length - 33);
var validCert = true;
validCert &= (headerString == '-----BEGIN CERTIFICATE REQUEST-----');
validCert &= (footerString == '-----END CERTIFICATE REQUEST-----');
if(!validCert){
g_form.addErrorMessage('CSR in field missing correct headers');
return false;
}
Where things get "interesting" is that what is between the headers and footer of the CSR is a Base64 encoded PKCS10 binary block of data. Writing a function to deal with binary data is generally beyond what you will want to do in a client side function... the public key itself is merely a portion of that PCKS10 binary package.. not the whole.. so there is no easy way to "decode" it to iterate through the raw binary bites to find the actual key and measure its bit length. Have a look at the PCKS10 binary package format here: https://en.wikipedia.org/wiki/Certificate_signing_request
Most folks that have online CSR decoders actually pass the input to OpenSSL and have it parse the request and report on all of the data that makes it up... For instance: https://redkestrel.co.uk/products/decoder/. You could do something similar but doing so would require a hackish/creative use of a custom MID Server script that you could call using a custom probe... Again.. not something that you would want to mess with within the bounds of a ServiceNow client script.
I am working on mvc application, there i am trying to encrypt my password. I have encrypted the password onclick and its working fine. How to decrypt the same value in mvc controller using CryptoJs.
Here is my code:
<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/tripledes.js"></script>
var secretString = document.getElementById("txtPassword").value;
var password = "$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/";
debugger;
//document.getElementById("secretstring").innerHTML = secretString;
// var pass = document.getElementById("txtPassword").value;
var encrypted = CryptoJS.TripleDES.encrypt(secretString, password);
// document.getElementById("encryptedstring").innerHTML = encrypted.toString();
//var decrypted = CryptoJS.TripleDES.decrypt(encrypted.toString(), password);
//var finaltext = decrypted.toString(CryptoJS.enc.Utf8);
//document.getElementById("txtPassword").value = encrypted;
I have to pass the encrypted value to C# code and decrypt there itself using cruptoJs.TripleDES.decrypt.
Anybody help me please?
Thanks in advance.
There is a 3DES provider in the .NET Library and here is a good example of how to use it: How to implement Triple DES in C# (complete example)
In principle, if you use 3DES on the client you just use another 3DES implementation on the server, you don't need to use the same implementation -- and since cryptoJS is JavaScript, it is mostly restricted to client-side use anyway.
That being said, your string is not sent securely over the network, because your source code clearly identifies the method + password used to encrypt. So anyone who can sniff the data going to your server can decrypt.
To really encrypt the traffic securely, you'd need to use SSL (= HTTPS).
My team must share data between a localnet html/js app, and a server in the same net listening on a websocket.
The first idea was to simply send variables to the server with get
http://192.168.1.100:8080/var=hello
It's simple and works, but we must add a security level to the data exchange, encrypting all in Aes and then hexing the result to send it as plain string.
The best solution that we found is Crypto-JS https://code.google.com/p/crypto-js/
We are able to follow the examples and encrypting/decrypting data inside the same js block, but are unable to decrypt the data on another software.
we do:
var text = "Message";
var password = "Secret Passphrase";
var encrypted = CryptoJS.AES.encrypt(text, password);
var EnText = encrypted.ciphertext; //returns the hexed/encrypted text
var Key = encrypted.key;
It doesn't work with the c# code running on the server, so we tried an online decrypting tool http://aes.online-domain-tools.com/ passing both the password and the Key, but similarly returns unreadable text
JS generated value for reference
EnText: 5768c9b4d75e0cc32b610d9e6f518c36
Key: 005e316192f5162f7fd104ce2c9fe91de6c6f2977849dcd5878226022a7073be
What are we missing?
Ok i got it, the text is in hexadecimal.
Try decyphering it there:
http://www.unit-conversion.info/texttools/hexadecimal/
Suppose you have the schema for valid payload defined in accordance to json-schema.org and you'd like to validate it in a proxy prior to handling the payload or passing it to backend, how can you properly validate the contents of the payload?
Apigee doesn't have a JSON schema validator built in, so your best bet is to create a Javascript something like tv4 or another javascript based validator. Then you need to create a Javascript callout which has your script to validate the Apigee flow variable and includes your library (for example, tv4.js)
<Javascript async="false" continueOnError="false" enabled="true" timeLimit="200" name="JSO- Validate-JSON">
<DisplayName>JS-Validate-JSON</DisplayName>
<FaultRules/>
<Properties/>
<ResourceURL>jsc://validatejson.js</ResourceURL>
<IncludeURL>jsc://tv4.js</IncludeURL>
</Javascript>
tv4 is available on github at https://github.com/geraintluff/tv4
To expand a bit on Michael B. response validatejson.js will be a JavaScript policy that will load the schema into schema variable, which will be validated against the response.content:
var valid = tv4.validate(response.content, schema);
if(valid){
log.info("Schema is valid!" + valid);
} else {
context.setVariable("raiseFaultRuleSchemaValidation", "true");
context.setVariable("raiseFaultRuleSchemaValidationMessage", tv4.error)
}
}
I've searched for this, there are lots of hits, but I can't find one that is neither complete (pulls all the bits together) nor says its a bad idea, use HTTP. I've tried lots of things based on the hits I've found, but I can't get it to work.
The target problem is to AES encrypt textual data at one place, send it to a web API where it is stored in a database, then retrieve from the database via another API and decode it in the browser. This is not for security in transmission, it is so that, if the originator and the receiver know the key and IV, then it can be stored without the server knowing what the real content is.
The originator code is python, and the web API is python, so to make life easier initially, I'm storing the content unencrypted in the database. I've done AES encrypt/decrypt in python before, so that's not an issue. What I'm trying to do is encrypt in python as the content comes out of the database, transmit it, then decrypt in javascript. I've been using the python 'from Crypto.Cipher import AES' code, and javascript CryptoJS implementation from code.google.com
I'm happy at this stage to write the key and the IV into the code, distribution isn't really a problem as the originator and the client browser are effectively the same system.
I've not added any code because I think it would be more trouble than its worth at this stage.
Thanks in advance!
OK, some code. On the server python(3) side:
text = 'This is a message'
key = 'This is a key123'
iv = 'This is an IV456'
text += (16 - len(text) % 16) * ' ' # Pad to 16 chars, spaces are OK here
aes = AES.new(key, AES.MODE_CBC, iv)
enc = base64.b64encode(aes.encrypt(text)).decode()
print(enc)
enc is passed along with other data, JSON encoded, as the response to an AJAX request. On the client javascript side:
enc = /* from JSON */ ;
console.log(enc) ;
key = 'This is a key123';
iv = 'This is an IV456';
text = CryptoJS.AES.decrypt(Base64.decode(enc), key,
{ iv: iv, mode: CryptoJS.mode.CBC })) ;
console.log(text)
The python print(enc) and the javascript console.log(env) are the same, so I know the b64'd encoded data is coming over OK. The console.log(text) (in Chrome) shows as
l.WordArray.t.extend.init { ... }'
and not 'This is a message'. So why not!
Solved, but another mystery
I used the code from this gist:
https://gist.github.com/andres-erbsen/1307675
But: this uses code from http://crypto-js.googlecode.com/files/... which is not what you get from the download at https://code.google.com/p/crypto-js/downloads/list. The gist code uses Crypto.xxxx names; the download code uses CryptoJS.xxxx names. The gist is 2 years old, has CryptoJS replaced Crypto maybe?