• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to encrypt and Decrypt form parameters?

 
asif abdul aziz
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,
I would like to know how to encrypt and decrypt form post paramters?

Here is my code
try{
out.println("<html><body><form name=test method=post action='second.jsp'>");
NumberFormat formatter = new DecimalFormat("#0.000");
int val1=req.getParameter("esal");
out.println("<input type=hidden name='param1' value='" + formatter.format(Float.parseFloat(val1) + "'>");
}catch (Exception e){
System.out.print("error");
}
out.println("</form></body></html>");
out.println("<script language='javascript'>document.test.submit();</script>");
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to JavaRanch.

The standard API for doing encryption is called JCE. Here's an example of how to use it with the DES cipher (which is obsolete - you should use "TripleDES" instead, but the code is the same).
Keep in mind that encrypted data is binary, so you can't add it to a page directly; you'll need to convert it to a string, using something like base-64 encoding.

Having said that, if the data that's to be kept secret exists on the server, why send it to the client in the first place? Why not put it in a session, and save yourself from the encryption overhead?
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I wouldn't, it would be far easier and safer to use HTTPS for the data transfer, and make sure the form uses POST rather than GET.
 
asif abdul aziz
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi,
I am using https and using post method only.But there are some tools like (https://addons.mozilla.org/en-US/firefox/addon/966) which
Uses to tamperdata to view and modify HTTP/HTTPS headers and post parameters... .

I am trying to avoid that.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sure, the client can submit anything he wants - HTTPS only protects the data in transit. But if the point is to prevent the client from seeing the data, then HTTPS does not help, and real encryption -or not round-tripping the data in the first place- is in order. Maybe you can clarify what exactly you're trying to accomplish.
[ August 28, 2008: Message edited by: Ulf Dittmer ]
 
asif abdul aziz
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi,
I want to avoid client to change the data submit using the tamper data tool.How to avoid that.?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
By using encryption, or not round-tripping the data in the first place.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The client will always be able to use the tool to alter the form data, I think you need to focus on whether you accept these changes.

One way, as Ulf mentions, is to encrypt the data on the server before sending to the client. If the client alters the dtaa it will no longer decrypt. Again as Ulf says, better not to send it to the client at all in this case.

Another possibility is to attach an MD5 fingerprint. We do this with online forms that contain a destination email address. This way we can store the address and fingerprint in the form, and the email address cannot be altered (note that a salt value is used in the MD5 to prevent the client substituting their own MD5)

Is any of this comeing close to the mark, or do you need to provide more details?
 
asif abdul aziz
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi,
"Again as Ulf says, better not to send it to the client at all in this case".

how can i do that ?
 
asif abdul aziz
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi ,
"Another possibility is to attach an MD5 fingerprint".

What is this MD5 fingerprint.?
Any tutorial or sampe code will help me a lot.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can store it somewhere on the server, along with an identifier of the user to which it belongs. HTTP sessions are one way to achieve this, and probably the easiest since it doesn't require much code to implement.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Another option is to store the data on the server attached to a token, then send the token to the client. This is similar to placing data on the session except you can reuse the token (multiple clients behaving in the same way), and the token has nothing to do with the actual data - as long as you ensure that altering the token doesn't jeapordise the security of the application!

The main difference between this and the session is that the data only exists in the request scope and won't cause concurrency issues common in session data (eg two forms open at the same time)
 
asif abdul aziz
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi,
I tried using session variables.User or client cannot modify or cant do anything even using firefox tamper data tool.it works.thanks.

i have a doubt about session variable.here it is

lets say

http://abc.com i create session variable and forwarding to diffent domain http://xyz.com and this http://xyz.com do some validation and then forward to http://pqr.com domain

session variable can pass and get from different domains like in the above scenerio.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
the session will not be available in all domains unless they are all on the same server (or cluster) and single sign on is enadled, or some other form of data sharing is enabled between the domains.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic