Ajax Login: Password Encryption [closed]

Answer 1

It is possible to do this via Ajax by using multiple tools. I have personally done this for the logon of a database app. Unfortunately, I don't know of a single solution to accomplish this. And ultimately, the best solution is to use a SSL certificate. But I have seen times when you need to stand up an app securely before having the SSL in place.

Bcrypt is definitely the more secure way to store a password in a users database, but this applies to the backend, not so much the Ajax part. If you were to use Bcrypt in the client/browser, the encrypted string is still being passed over the internet insecurely.

The solution I recently built uses RSA encryption and AES encryption between the browser (in JavaScript) and the server (in my case, an ASP.NET site).

The flow works like this:

• Client asks server for RSA public key.
• Server sends back RSA public key and keeps RSA private key.
• Client creates an AES key and encrypts it with the RSA public key.
• Encrypted AES key is sent back to server and kept in memory.
• Now Ajax messages can be transmitted both ways securely.
  • Each side now securely knows the AES key for encrypting and decrypting.

I wish there was a one-stop solution to do all of this, but I'm unaware of one at this time.

The libraries I used are:

• https://code.google.com/p/crypto-js/
• http://www.bouncycastle.org/csharp/
• http://bcrypt.codeplex.com/

Answer 2

Why not using sha1 ( http://www.webtoolkit.info/javascript-sha1.html ) and hashing password before sending it? You should store passwords hashed in database too. So it will be a good practice, if you store it in plain text.

Answer 3

Bcrypt could be your friend. And there is also an implementation in Javascript named jsBCrypt. I highly recommend reading this insightful article: Storing passwords in uncrackable form.

But: Be careful! If you do not use SSL or a server provided nonce, you may be vulnerable to man in the middle attacks. If someone reads the (unencrypted) traffic between your client and the server, he gets the encrypted password. And it is enough for him to use it to authenticate against the server whenever he wants without knowing the real password..

Answer 4

you want to use https. Note that even if you do, you will still see the unencrypted values in the browser, because when firebug grabs the data (either way) it has not been encrypted/decrypted yet.

I really think biting the bullet and setting up https is the way to go. It is well-vetted technology. If you want to roll your own, its not going to be secure, and you are going to have to do a lot of work on both the client and server.