GeeCON Prague 2014*
The moose likes Other Java Products and Servers and the fly likes String Encryption in javascript and Decryption in java Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Products » Other Java Products and Servers
Bookmark "String Encryption in javascript and Decryption in java" Watch "String Encryption in javascript and Decryption in java" New topic
Author

String Encryption in javascript and Decryption in java

sahej aggarwal
Greenhorn

Joined: May 11, 2009
Posts: 6
Hello friends

I want a way to encrypt any given data string with the help of javascript and the output encrypted string should be given as a input to the java code to decrypt the encrypted string to its original form.

Please any one help me with the code.
I will be very thankful to you all.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42023
    
  64
Is this for a web app where the Java code would be a servlet, and the communication happening over HTTP? If so, is there any particular reason you don't want to use HTTPS for encryption?


Ping & DNS - my free Android networking tools app
sahej aggarwal
Greenhorn

Joined: May 11, 2009
Posts: 6
ya its a web app and i m using HTTPS with a valid SSL certificate but still my data can be seen by the paros on the network
and yes the java code could be a servlet or a JSP.

Can some one please help me out in the above mentioned subject.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42023
    
  64
SSL traffic is encrypted. It can only be seen by a proxy (like Paros) if a proxy is being used (and that should in any case be internal to the company, so no harm done). Where exactly do you see the security risk?
sahej aggarwal
Greenhorn

Joined: May 11, 2009
Posts: 6
I can see the encrypted data on the www(world wide web).
and I know that in local n/w its wont harm us but its any how coming on live also.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42023
    
  64
I can see the encrypted data on the www (world wide web).

What *exactly* are you seeing that can be seen by any user on the web? Where do you see that, and how? TellTheDetails
Andrew Monkhouse
author and jackaroo
Marshal Commander

Joined: Mar 28, 2003
Posts: 11464
    
  94

sahej aggarwal wrote:ya its a web app and i m using HTTPS with a valid SSL certificate but still my data can be seen by the paros on the network
and yes the java code could be a servlet or a JSP.

Can some one please help me out in the above mentioned subject.


Heh - it looks like Paros may be misleading in this case. While you may very well have a valid SSL certificate on your web server, it looks like the staff at Paros are recommending you set the proxy on your web browser for both your secure and insecure data to point to their software, using the same port. I am almost certain that this will result in Paros either not using SSL whatsoever, or using zero-bit encryption (in other words, no encryption) to get to your data.

So - yes, configuring your system in that way will result in breaking the security of your system, and all data that you thought should be encrypted will actually be in plain text until after it leaves the Paros application.


The Sun Certified Java Developer Exam with J2SE 5: paper version from Amazon, PDF from Apress, Online reference: Books 24x7 Personal blog
Andrew Monkhouse
author and jackaroo
Marshal Commander

Joined: Mar 28, 2003
Posts: 11464
    
  94

Actually I may have spoken too soon - it appears on a little further analysis that it can be configured to use your certificate, as long as you provide the security phrase.

Same result though - if you are providing the pass phrase, then it can decrypt all the information that is normally encrypted by SSL.

I really hope you are not doing this with a production SSL certificate. Of if you are, I hope you have read through all the source code of Paros.
ganeshraj kumar
Greenhorn

Joined: Jan 19, 2010
Posts: 3
Hello friends,

I am also facing the same problem.

I want a way to encrypt any given data string with the help of java script and the output encrypted string should be given as a input to the java code(servlet) to decrypt the encrypted string to its original form.

Please any one help me with the code.
I will be very thankful to you all.

the reason for not using SSL certificate is:

1.we are using for an internal site for which we are using an ip address to access the website.And if we use ssl for this purpose,we are not able to delete the security alert coming for this ssl.And my clients dont want this security alert.And i foung there is no way to disable this security alery unless if we have proper website name.

This is the reason why i want to go for java script encryption and servlet decryption technology.

Could you pl anyone help me in this regard.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42023
    
  64
This is the reason why i want to go for java script encryption and servlet decryption technology.

This is a rather unusual threat scenario - you trust the client, but not the network? In an internal application? What, exactly, are you trying to guard against? Done by whom?
ganeshraj kumar
Greenhorn

Joined: Jan 19, 2010
Posts: 3
Hello Dittmer,

Thanks for your reply.

I found there is no way to disable the security alert unless i use a proper name for the website which is not possible for an intranet application.

I want to secure all my data when i transfer(means when i submit the data from the form) from client(IE or mozilla) to server(tomcat ).It should not get caught by any one on the network.

i.e when i submit my data in html form ,the data should be encrypted and transfer to the server and i need to decrypt the data in the sever side.Which means on the way from client to server i want to gaurd the data...

Could you pl help me out in this regard........

Thanks.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42023
    
  64
If you trust all client users -that's implicit by using JavaScript encryption-, then who is the person you are trying to protect the data from? Who can listen in on the internal network, but is not an authenticated user?

A much, MUCH, better solution would be to use a hostname instead of an IP address, and then to use a properly signed certificate.
hrrepka com
Greenhorn

Joined: Mar 12, 2011
Posts: 1
Here you can find out how to encrypt in javascript and decrypt in Java using AES alghoritm with counter mode:

http://www.hrrepka.com:8080/app/rijndael.iface
 
GeeCON Prague 2014
 
subject: String Encryption in javascript and Decryption in java