SSL Alternative - encrypt password with JavaScript submit to PHP to decrypt
I\'m building a website and my payment methods will be Google Checkout and Paypal. There will be links/buttons which will redirect the user to the secure Google/Paypal sites
-
RSA is overkill; what you probably need is a simple challenge-response protocol. For example:
- Generate a random nonce value; this helps prevent replay attacks.
- Send that nonce value and the password salt to the browser along with the rest of the login form.
- You are storing passwords in salted and hashed form, right?
- When the user enters a password, have the script on the form compute and send back hash(hash(password, salt), nonce) instead.
- When the server receives the form submission, have it compute hash(storedSaltedPassword, nonce) and verify that it equals the submitted value.
- Retain the nonce value at the server; don't trust the client to echo it back to you, or your replay protection is gone.
The weakness of this scheme is that the password hashes in the database are in some sense password-equivalent; while it's likely infeasible to extract the original password used to produce those hashes, knowledge of the stored hash is sufficient to impersonate the user on your site.
SSL certificates serve an entirely different purpose: the purpose of an SSL certificate is to make it difficult for a third-party rogue server to claim to be your server, because it doesn't have a certificate signed by some mutually trusted third party that it belongs on your domain. On the other hand, if you can't stop a rogue server from impersonating yours, you can't protect your users from giving their password to that rogue server, cryptography notwithstanding.
讨论(0) -
http://www.jcryption.org/ -- Is the combination you are looking for.
讨论(0) -
You don't need to encrypt the password. You need to hash the password. You really really don't want to have any access to the plaintext password yourself whatsoever, otherwise you lose non-repudiation, which has serious legal consequences. You need to investigate the meaning of this thoroughly before proceeeding.
讨论(0) -
Only one problem: An attacker does not need to know the actual password. All he needs to see is the value that is sent to the server. This value allows the user to log in. It does not matter what that value is; whether it's plaintext, encrypted text or a picture of a cat. It's just a token that authenticates the user. If an attacker can see this token and repeat the same request and that same request allows him to log in, you gained nothing.
讨论(0) -
First, I don't think this is a good idea. I found some examples using Google that may be useful for you (I have not tested these, however):
GPL JavaScript Public Key Encryption
RSA Public Key Encryption Test in JavaScript
PGP Encryption in JavaScript
RSA Algorithm Example in JavaScript
You should establish some salting mechanism to salt every encrypted value otherwise the key could get compromised.
讨论(0) -
This is the code to take the input and then encrypt the content by java script The entire code is also available in github.you guys can search for it encrypt_js_decrypt_php. The problem was running since long.I have come up with the solution.Just import it into localhost.
<html> <input type="text" id="code" name="code"/> <input type="submit" name="submit" value="submit" onclick="return encryptCode();"/> <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script> <script type="text/javascript"> function rc4(key, str) { var s = [], j = 0, x, res = ''; for (var i = 0; i < 256; i++) { s[i] = i; } for (i = 0; i < 256; i++) { j = (j + s[i] + key.charCodeAt(i % key.length)) % 256; x = s[i]; s[i] = s[j]; s[j] = x; } i = 0; j = 0; for (var y = 0; y < str.length; y++) { i = (i + 1) % 256; j = (j + s[i]) % 256; x = s[i]; s[i] = s[j]; s[j] = x; res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]); } return res; } function encryptCode() { var value = document.getElementById("code").value; var key = "secretKeyToProvide"; /*--Provide Your secret key here--*/ var codeValue = rc4(key, value); var arr = {code:codeValue, Age:25}; $.ajax({ url: "response.php", type: "POST", data: JSON.stringify(arr), dataType: 'json', async: false, contentType: 'application/json; charset=utf-8', success: function(data) { alert(data); } }); } </script> </html>Now,lets decrypt the code in php
<?php function mb_chr($char) { return mb_convert_encoding('&#'.intval($char).';', 'UTF-8', 'HTML-ENTITIES'); } function mb_ord($char) { $result = unpack('N', mb_convert_encoding($char, 'UCS-4BE', 'UTF-8')); if (is_array($result) === true) { return $result[1]; } return ord($char); } function rc4($key, $str) { if (extension_loaded('mbstring') === true) { mb_language('Neutral'); mb_internal_encoding('UTF-8'); mb_detect_order(array('UTF-8', 'ISO-8859-15', 'ISO-8859-1', 'ASCII')); } $s = array(); for ($i = 0; $i < 256; $i++) { $s[$i] = $i; } $j = 0; for ($i = 0; $i < 256; $i++) { $j = ($j + $s[$i] + mb_ord(mb_substr($key, $i % mb_strlen($key), 1))) % 256; $x = $s[$i]; $s[$i] = $s[$j]; $s[$j] = $x; } $i = 0; $j = 0; $res = ''; for ($y = 0; $y < mb_strlen($str); $y++) { $i = ($i + 1) % 256; $j = ($j + $s[$i]) % 256; $x = $s[$i]; $s[$i] = $s[$j]; $s[$j] = $x; $res .= mb_chr(mb_ord(mb_substr($str, $y, 1)) ^ $s[($s[$i] + $s[$j]) % 256]); } return $res; } $request_body = file_get_contents('php://input'); $json = json_decode($request_body); $secretCode =$json->code ; $age =$json->Age ; $key = "secretKeyToProvide"; /*--Provide Your secret key here what you have given in javascript--*/ $decryptedSecretCode = rc4($key, $secretCode) ; echo $decryptedSecretCode; exit; ?>讨论(0)
加载中...
- 热议问题