11

I recently found this RSA JavaScript library: http://www.ohdave.com/rsa/. However, it requires that the key be pre-generated. Here are my questions/issues:

  1. I'd like to generate an RSA keypair in the JavaScript (so that I don't have to change the code every time I want a new keypair.)

  2. While I understand how this can be used to send secure data, if I'm not mistaken this library cannot be used for the client to receive secure data from the server (because the public and private exponents, and the modulus, are transmitted plain-text from the server). Am I mistaken?

I'd love some discussion about this. I'm no security expert, but I have a pretty firm grasp on asymmetric encryption.

Improve this question
2
  • Can't you just send the data using SSL? It's secure and what's more important it's transparent for you so you don't need to do any kind of encryption/decryption on any sides. Commented Jul 17, 2009 at 5:32
  • 2
    Maybe I could do SSL. But what if i'm using a host that doesn't support it? Personally, I don't know how to configure SSL - all the stuff I found online isn't straight forward. Regardless, SSL isn't really relevant to my question. Commented Jul 17, 2009 at 8:36

2 Answers 2

Reset to default
3

The question has been asked almost 10 years ago and since then lot of things has improved. Currently, most of the modern browsers feature Web Crypto API that provides the capability to generate strong random numbers and therefore allows a script to generate cryptographic keys, sign data, verify signatures, encrypt and decrypt data and other cryptographic operations.

Here is a sample code from the MDN mentioned above:

let keyPair = window.crypto.subtle.generateKey(
  {
    name: "RSA-OAEP",
    modulusLength: 4096,
    publicExponent: new Uint8Array([1, 0, 1]),
    hash: "SHA-256"
  },
  true,
  ["encrypt", "decrypt"]
);
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Generating the keypair requires a strong random number generator (I don't think you have one in JavaScript), and quite a bit of computation (for primality testing). Then once you have your pair, when you transmit your public key up to the other side, there's an opportunity for man-in-the-middle attack since there is no integrity check on the public key transmission.

You will get secure transmission to whoever has the private key. It's not clear from your question whether that is the client or the server. You can initialize a shared secret by having whoever has only the public key generate a shared secret, encrypt it and send it to whoever has the public key.

You can get a similar feature set (dependence on random number generator, vulnerability to MITM, ability to create shared secret for use as session key) but with much less computation by performing a Diffie-Hellman key exchange instead.

You are probably better off figuring out how to configure SSL on your server.

Improve this answer

2 Comments

The Diffie-Hellman key exchange sounds interesting, I'll look into that. Heres a link I found to a javascript implimentation: enanocms.org/News:Article/2008/02/20/… On the point of assymetric key pairs, a strong random number generator could be ported pretty easily from another language. Same with primality testing. I don't think this would be entirely time-prohibitive in javascript, especially with the right background thread runing it (while a user uses the rest of the page). Do you know of any good C-style RSA key generation code i could use?
I hear that Simson Garfinkel's book on PGP has a pretty good explanation of the code including the primality tester - using various fast methods then doing some final passes with code based on Fermat's Little Theorem. And you should be able to finding it in some old PGP source or any of the OpenPGP or gpg implementations. But I think you will find that it's too slow running in Javascript.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.