I need to create a basic JavaScript encryption function to encrypt the username and password on my login page. The only information I can find is the use of online software to provide encryption, but I need to use JavaScript and place a simple encryption function in my HTML code for my login page.
I would also like to better understand what type, application, and method actually mean when referring to encryption functions using JavaScript.
Thank you.
I found this simple text cipher/decipher utility. No dependencies with any external library. You can't expose your secret/salt on client side, otherwise whole purpose of encryption will fade away.
const cipher = salt => {
const textToChars = text => text.split('').map(c => c.charCodeAt(0));
const byteHex = n => ("0" + Number(n).toString(16)).substr(-2);
const applySaltToChar = code => textToChars(salt).reduce((a,b) => a ^ b, code);
return text => text.split('')
.map(textToChars)
.map(applySaltToChar)
.map(byteHex)
.join('');
}
const decipher = salt => {
const textToChars = text => text.split('').map(c => c.charCodeAt(0));
const applySaltToChar = code => textToChars(salt).reduce((a,b) => a ^ b, code);
return encoded => encoded.match(/.{1,2}/g)
.map(hex => parseInt(hex, 16))
.map(applySaltToChar)
.map(charCode => String.fromCharCode(charCode))
.join('');
}
// To create a cipher
const myCipher = cipher('mySecretSalt')
//Then cipher any text:
console.log(myCipher('the secret string'))
//To decipher, you need to create a decipher and use it:
const myDecipher = decipher('mySecretSalt')
console.log(myDecipher("7c606d287b6d6b7a6d7c287b7c7a61666f"))
Created by Jorgeblom
As was mentioned in comments, encryption over javascript is not very secure, as is described in the article: http://matasano.com/articles/javascript-cryptography/, but basically, someone can view the source and by using debugging tools they can determine how the encryption is done.
At times people can also grab the source as you are sending it.
Now, given this, encryption may be useful, if you don't fully trust SSL and you want to send something sensitive over the Internet.
So, you run into a problem of how to encrypt.
RSA encryption is good for small messages, because it is slow, so, for example, you want to encrypt a password. Then, the server could have included the public key, that it generated for this page, and your program encrypt.
Encryption is not going to be simple, but you can look at the source to this project and it may help guide you.
For an example, you can look at this page, where I got this:
function RSAdoEncryption()
{
var mod=new Array();
var exp=new Array();
var s = r2s(document.t.pkey.value);
var l = Math.floor((s.charCodeAt(0)*256 + s.charCodeAt(1)+7)/8);
mod = mpi2b(s.substr(0,l+2));
exp = mpi2b(s.substr(l+2));
var p = document.rsatest.plaintext.value+String.fromCharCode(1);
var pl = p.length;
if(pl > l-3)
{
alert('In this example plain text length must be less than modulus of '+(l-3)+' bytes');
return;
}
var b=s2b(p);
var t;
var i;
var startTime=new Date();
var enc=RSAencrypt(b,exp,mod);
var endTime=new Date();
document.rsatest.ciphertext.value=s2hex(b2s(enc));
document.rsatest.howLong.value=(endTime.getTime()-startTime.getTime())/1000.0;
}
Your last sentence doesn't make sense but I will guess.
There are two basic types of encryption, symmetric and asymmetric. RSA is an example of asymmetric, so the key used to encrypt is different than the key to decrypt. That is what is meant by a public and private key. One key is shared with people but it doesn't help you find the private key if you know the public key.
Symmetric encryption is where the same key is used to encrypt and decrypt. IDEA, AES, Blowfish are examples of symmetric keys.
I expect that method is the encryption algorithm but it can also refer, perhaps, to padding, where you add extra garbage or random characters at the end to make the message longer.
To preface, I'd like to say that it's not recommended that you create your own encryption scheme or implementation for use by anyone other than yourself. In addition, even though well-tested and known libraries are better than creating your own, you cannot guarantee any security.
With that said, here are a few encryption libraries out there that looks promising.
To encrypt a password, it's usually best to use a one-way hash function. Take a look at bcrypt. Below is a quick example of using bcrypt to demonstrate hashing a password after generating a salt.
var salt = bcrypt.gensalt(5);
bcrypt.hashpw('mypassword', salt,
function result(hashedpassword) {},
function callback() {}
);
Keep in mind that there are many points of vulnerability for a web application. The three main parts of a running application (aka the client, server, and transit) should be taken into consideration when working with security. SSL is necessary to protect your data in transit, but again, security is not guaranteed, as there are workarounds. In addition, an attacker can also launch attacks on the client and server.
Check out the OWASP (Open Web Application Security Project) Top Ten list of vulnerabilities. OWASP maintains this list to represent the most common and critical web application security flaws.
Security can be a very touchy subject, and many people neglect the importance of having a robust security system for public-facing applications. Granted, if you're working on a personal project or if your application does not deal with any confidential information, then you don't have to worry about this too much.
