First I'll say: Yes, this is
Servlets related - at least the first part...
We have a setup where we have 'n' http domains that all must process their e-commerce stuff through '1' https (SSL protected) domain. In order to bounce between the servers, we're doing the fairly simple trick of outputing a form (on the http side) that uses javascript to POST itself to the https side.
SO... that hidden field called "theAmountOfMoneyYouOweUs" is completely visible and 'hackable' by anyone with the least amount of browser know-how. Just turn of javascript and create your own form submission.
I thought to do something like the following:
I can concatentate all the parameters I need into a big tokenized
String, encrypt it on the http side with the public key. Then on the https side, I use the private key to decrypt the received String, and tokenize and pull out the pieces again. I could also use symmetric enc (one private key).
1) Is this just stupid? What other ways can I solve this problem of wanting to protect/obscure form post data between domains? (this is why I've posted this to Servlets.. perhaps someone can point out the obvious answer I've missed).
Here's where it gets past Servlets a bit...
2) I've never done crypto before, and I'm becoming completely overwhelmed with the amount of effort it seems to take to get the simplest thing to work. I've been able to generate my public and private RSA keys.
Now.. I should be able to use those keys in a Cipher... but I can't get an RSA Cipher.
The 'signer' works fine (I took this from a tutorial on digital signatures) but the cipher throws
java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA Apparently I need a differenet provider than the one that comes baked-in to JDK1.4 . I've been to bouncycastle.org, and then they start advising about security policies, and how to install the JCE provider. ARGH!
Does anyone know of a JDK1.4 built-in encryption algorithm that I can use to generate public/private keys, and the Cipher, and anything else I'd possibly need to encrypt/decrypt a simple String?
It doesn't have to be made of a titanium/steel alloy, it really just has to discourage the slightly bright, but essentially lazy.