Hi All,
I want to encrypt password in JQuery and decrypt it in servlets. Please tell me which algorithm should I use and how to implement this thing.
Hi All,
I want to encrypt password in JQuery and decrypt it in servlets. Please tell me which algorithm should I use and how to implement this thing.
A simple spot of Googling would have got you the answer. The available algorithms seem to be Blowfish, SHA and Rc4. If you want decryption blowfish would be the way to go. For smaller datasets you can use rc4.
For a practical example look at how Yahoo does its logins. The login form has a hidden field which acts as the salt called ".challenge", this is embedded in the hash as follows:
fullhash=MD5(MD5(passwd)+challenge)
This is a classic encryption problem. The one-way hashes described by whatnick will work but there are security issues. Notably an attacker can perform a replay attack as the hash cannot be salted, meaning the user can only ever send the one hash that corresponds to the hast stored in the database. In other words, this is almost the same thing as sending the password in plain text.
The only way to do this properly is with a non-symmetric public key cypher such as RSA. I have seen a Javascript implementation here. I would argue that this is more complicated than necessary and that just doing a secure login via SSL is most probably the safest and easiest thing in the long run.
You want to use HMAC.
Basically, you send 2 salts to the client. You store in your database
md5(salt + pwd)
you send a unique salt2 and the db salt to the end user, who returns
md5(salt2 + md5(salt + pwd))
and then you compare to that same operation server-side.
As long as you vary the salt sent and don't accept old ones, it is about as secure as you're going to get without SSL. You definitely don't want to try to use AES or RSA anything similar.
If you don't like md5, use any other hashing algorithm of your choice.