2

I would like to know if there is any library to do encryption in JavaScript and decryption in Java. I have already tried many APIs, but am not getting the same values in Java.
I want public-private key encryption and hence try to use RSA.
A few I have used are:

  1. www-cs-students.stanford.edu/~tjw/jsbn/
  2. ats.oka.nu/titaniumcore/js/crypto/readme.txt
  3. www.ohdave.com/rsa/

Few thing I checked, JavaScript breaks string into small chunks and then encrypts them which makes ciphertext different in Java and JavaScript. I edited the JavaScript code to use string as a whole but that didn't work.

I also tried to set charset of HTML page to utf-8 but it also did not work. I got success in encrypting single character string like 'K' to be encrypted and decrypted correctly which makes me think that there is problem in encrypting string in JavaScript by dividing it in small chunks (which I checked, but it fails with encrypting it as a whole).

My Java implementation is:

BigInteger d = new BigInteger("1f3fac65c4ae222e3a3074dd4c38fbb72c0705c4bbac0385b867c12c25a44e01", 16);
BigInteger e = new BigInteger("65537");
BigInteger N = new BigInteger("b42e91fbca364cf2a125aec67ffbdab624fd401100c40ea05189ba34d1028b0d", 16);
String messageToEncrypt = "kishor";
byte [] messageByte = messageToEncrypt.getBytes();
BigInteger message = new BigInteger(messageByte);
//Encrypting and Decrypting messages
//Encrypt a message using N and e:
BigInteger ciphertext = message.modPow(e, N);
//Decrypt the message using N and d:
BigInteger plaintext = ciphertext.modPow(d, N);
byte[] plainTextByte = plaintext.toByteArray();
String decryptMessage = new String(plainTextByte);
/*System.out.println("p : " + p);
System.out.println("q : " + q);*/
System.out.println("N : " + N.toString(16)); 
System.out.println("e : " + e.toString(16));
System.out.println("d : " + d.toString(16));
/*System.out.println("PhiN : " + PhiN);*/
System.out.println("ciphertext : " + ciphertext.toString(16));
System.out.println("decryptMessage : " + decryptMessage);
}

Kindly let me know if it is possible as I have searched many questions (on Stack Overflow itself) but am unable to find a solution. I am searching for a well tested pre-built library.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Kishor Sharma
  • 129
  • 1
  • 1
  • 3

1 Answers1

5

Is the javascript run in a browser? If so, don't try to encrypt anything at all.

Please refer to my other answer for details. Basically, if you are doing something with javascript, the connection is either a) already secure or b) will not be any more secure with anything you do within the web app.

Note that I talk about hashing there but it really applies to any kind of procedure in javascript.

Community
  • 1
Zeta Two
  • 446
  • 3
  • 7
  • Using asymmetric encryption i can protect sensitive data and can easily extract it server side. It can increase a security which is sufficient in my case. If anyone experienced same problem and figured out solution kindly share. – Kishor Sharma Jul 31 '12 at 12:31
  • 4
    It cannot provide any further security. If you're not using SSL, the attacker can just perform a man-in-the-middle attack and steal the data by giving the user a different key. If you're already using SSL, you don't need more security, and you're just introducing needless complexity. – Polynomial Jul 31 '12 at 12:44
  • 2
    @KishorSharma - Unless you have a SSL connection no amount of encryption is useful since everything sent to the client and server in a plain text format. Since javascript is client side, any client, would be able to decrypt what you sent. – Ramhound Jul 31 '12 at 12:53
  • @Ramhound I agree on your point. I am using ssl and also agree that on ssl data sent to server are automatically encrypted. But Before sending to server a request can be captured and data can be extracted. I want to encrypt data just to add one more security level and hence increasing the data security. – Kishor Sharma Jul 31 '12 at 14:06
  • 1
    @KishorSharma What do you mean with "before sending request"? If the attacker is able to access any kind of data on the local machine then no javascript in the world will protect you. – Zeta Two Jul 31 '12 at 14:15
  • @Zeta I am talking about request packet. I don't want attacker to get plaintext data. And by using asymmetric encryption attacker need to figure out the private key to decrypt it. This increase the security and sending data as cipher text is better option than sending in plain text, I think. – Kishor Sharma Jul 31 '12 at 14:22
  • 3
    @KishorSharma The packet is already encrypted with SSL. Any further action will _not_ improve the security. Encryption via Javascript in the browser _can not_ be more secure than the way the javascript was transferred in the first place. For more information, read: http://www.matasano.com/articles/javascript-cryptography/ – Zeta Two Jul 31 '12 at 14:58