javascript - What's the best option using cryptojs, have the key stored in client and server sides, or generate the key and pass it some way to the other side? -
i want encrypt , decrypt data passed between client , server using cryptojs. decrypt data necessary know key used, imhave 2 options:
- use fixed key stored in both sides.
- generate randomly key , pass other side data.
in both cases, if petition captured, can resend server , access page.
if use fixed key, if key, can decrypt messages, except if change key.
if pass key data, key data (i pass in no clear way, have know part key , part data). key changes every petition.
anyway, think attacker see client side code , discover procedure used encrypt data , opposite procedure.
what's best option?
pd: know https way, want tp too.
option: 1
assuming want use cryptojs , want use http, , don't want attacker know secret key, can use pbkdf2.
pbkdf2 password-based key derivation function
you can generate key user's password on browser , use encrypt data encryption key.
on server side, assuming have access user's password user database, can re-generate same pbdkf2 key using password , decrypt data encryption key.
once both server , client have agreed on shared data encryption key, can have future exchange of data using key. in process, hacker may not access data encryption key exchanged in encrypted form. also, requires human enter password value hacker not aware of.
note 1: solution not work if authenticating user against third party authentication provider , not have access user's password.
note 2: cryptojs seems support symmetric ciphers - hence, there need exchange key between client , server. key has exchanged via shared secret not shared using same channel on key used.
option: 2
if cant use pbdkf2 reason, , still want exchange keys securely between client , server, then, have employ asymmetric encryption. library jsencrypt provides rsa encryption.
if library employed, then, client (browser) can generate key usng cryptojs , encrypt rsa public key using jsencrypt , send encrypted key server. server can decrypt encrypted-key using rsa private key. process result in safe exchange of key.
Comments
Post a Comment