I have designed a webpage using HTML and client side validation using JavaScript.PHP for server side.I want to encrypt the fields before it is transmitted over network,I have encryption code written in JAVA.Can anybody give me a solution as how can I incorporate java code for encryption?Or any better way for encryption?
Any help is greatly appreciated.
Thanks.
An example of AES encryption using JavaScript can be found here. Depending on your use case, https encryption may be a better option, or can at least provide an additional layer of privacy. I think the key question to ask yourself is whether the data on the server should be opaque to anyone but the client. If the server is going to use the data in its plaintext form, then https is a relatively safe, easy and robust option. If the server doesn't need the data, then having the user encrypt at the client in JavaScript would allow your server to maintain those sensitive fields in a way that would be useless to your own employees, but useful to the client who could regenerate the same key to decrypt it.
If you want to encrypt on client side and decrypt on server side, you'll have to do it with javascript on client side; maybe you can do it with an applet and that way use Java on client side, but that seems troublesome.
I think you better look into https.
I think a better way would be using https if you have the option to do so. Why reinvent the wheel?
Related
I have an applet that communicates with php through http post requests and then my php script inserts data in a mysql database. So the problem is that i guess anyone can make a http post requests and add data to my mysql database if they now the "post" names and of course i dont want that.
So i would like to have som solution where my php can be sure that the http requests are really from my applet and no one else. I would be grateful for ideas on how to solve this. The data being sent contains no secrets so it dont need to be encrypted if it can be solved with no encryption that is.
Thanks in advance.
If you can't use encryption while communicating , so the answer is simply you can't make sure.
In fact, even with encryption, it is impossible to determine whether a request was made by your applet or by something else that is perfectly mimicing its behavior. You will need to build your application such that it can deal with this.
Encryption will help secure any methodology you will put into place in order to achieve what you want, but it will do nothing on its own.
What you want is to authenticate the post message. This is usually achieved by having your client (here, applet) sign (HMAC) the POST message using a key that only the applet AND the server knows. The challenge here is that you need to securely store the key on the client side.
If I were you I would check into authenticating the users and hosting the applet in a secured area of your site, making sure your applet is re-using the HTTP session of the authenticated user when performing POST requests. Add to this basic safeguards against standard attacks (ie Cross Site Request Forgery, Replay attack, etc). This setup would make sure your requests come from your site by authorized users.
You could have the applet register by generating an RSA key pair on the client and sending the public key to the server. The server then keeps track of the public key of each registered client.
On each POST the client signs some piece of data using the private key, and includes the signature and the public key (or a hash of the public key) to identify itself. The server verifies that the public key is registered, and verifies the signature.
There would be no way to mimic this short of stealing the private key from the client, or breaking RSA encryption. Well, I guess you could record and replay somebody else's POST. There is that problem to solve.
However, you could have a fake client follow the steps of registration and send a public key, and then that fake client would be free to POST along with all valid clients. So there is that problem to solve, too.
I have been searching the web and here on how to create an encrypted chat server/client. And I think I got pretty confused now.
Firstly, I created a chat server/client from the free example Knock Knock Server from the Java Examples. So far, everything is working nicely, until I want to encrypt both server and clients.
Secondly, where do I start the encryption first? From the server then to the client? Am I suppose to use that Java Tool to create an encryption file for the server and share it with the clients?
Lastly, I am so confused after looking at so many tutorials on encryption, I don't know what is best for my situation. Can anyone help direct me to the correct tutorial website? Thanks a lot.
P.S. I do not know what kind of encryption tag I am suppose to use. Please edit that for me. Thank you.
I suggest you read about Transport Layer Security (TLS); It is probably the simplest reasonable approach to security and has been widely adopted (e.g. https and ftps).
In a sentence, it works by establishing a "secure channel" for your existing protocol to communicate over.
i don't think you need encryption and another tools. just use jsr-356 for websocket based chatting and ssl for securing your content.
I've have an application which send request to server side. my concern is that, a hacker could snoop traffic and resend the request after doing some modification in request itself.
I know the best way to solve this problem is to use SSL, but I think that will be an over killer for simple application like my application, I'm thinking to go with simple thing like MD5 algorithm.
This way if hacker tried to modify the request and resent it, at least I will discover that.
my question is that:
do you think this a good a approach, or you think there is a better way?
does the MD5 that is generated on iOS using objective C, will have the same value that is generated in Linux server using Java?
Traditionally you would need to make a hash from your payload + timestamp + secret token. Since only client and server know the token, you should be able to verify the hash correctly. And don't forget to include the timestamp in the transmission!
You may also want to encrypt the whole thing before sending - if the information is sensitive (like passwords, etc).
I believe MD5 will match if made on different systems (if done correctly).
I need to pass commands and data between a PHP CodeIgniter based server and a Java Client. I was thinking of using very simple encryption to encrypt / decrypt the messages. I have run into a lot of issues trying to do very basic crypto on the Java side.
Either I would like some help with the Java side of the Crypto, or a different idea to secure communication between the Client and Server.
The data is not sensitive and can be sent in the clear, as long as I can ensure it is coming from the correct source. I was thinking of using the basic encryption as an authentication measure that would not be circumvented by a replay attack. But I could be going about this all wrong.
Any help or comments are appreciated.
There is no method of guaranteeing that the data your server is received comes from a legitimate version of your Java app. If you're using any form of encryption, the key must be stored somewhere in your application bytecode. Also, it is not very difficult to hack the client-side application and let it send invalid data.
The correct approach is to keep in mind, on the server side, that your data might not be coming from the correct source and therefore you'll have to validate all data in order to make sure nothing illegal is being done.
If you just want to guarantee that legitimate users using your client application can be certain that they are communicating with your server, you can use HTTPS or some other method using asymmetric encryption.
i m using java,gwt.while login or creating account when user will enter the password,on server side i m encrypting it but i also want to apply encryption to passord on client side.which i will decrypt on server side and will use it for further process.
i googled but i m not getting which technique should i use for encryption on client side.
Thanks in advance.
Client side encryption in javascript will not be secure because you must somehow provide the key to the client and server. So key will need to be sent over unencrypted network.
This scheme is really a security through obscurity and is not secure, because someone could reverse engineer your protocol and get the key.
The only way to secure data on the web is HTTPS. You can simply configure this on the server without changing your code.
GWT-Crypto is what you need.
Hope this helps.