Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

String Encryption in javascript and Decryption in java

 
sahej aggarwal
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello friends

I want a way to encrypt any given data string with the help of javascript and the output encrypted string should be given as a input to the java code to decrypt the encrypted string to its original form.

Please any one help me with the code.
I will be very thankful to you all.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is this for a web app where the Java code would be a servlet, and the communication happening over HTTP? If so, is there any particular reason you don't want to use HTTPS for encryption?
 
sahej aggarwal
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ya its a web app and i m using HTTPS with a valid SSL certificate but still my data can be seen by the paros on the network
and yes the java code could be a servlet or a JSP.

Can some one please help me out in the above mentioned subject.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
SSL traffic is encrypted. It can only be seen by a proxy (like Paros) if a proxy is being used (and that should in any case be internal to the company, so no harm done). Where exactly do you see the security risk?
 
sahej aggarwal
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I can see the encrypted data on the www(world wide web).
and I know that in local n/w its wont harm us but its any how coming on live also.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I can see the encrypted data on the www (world wide web).

What *exactly* are you seeing that can be seen by any user on the web? Where do you see that, and how? TellTheDetails
 
Andrew Monkhouse
author and jackaroo
Marshal Commander
Pie
Posts: 11914
209
C++ Firefox Browser IntelliJ IDE Java Mac Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
sahej aggarwal wrote:ya its a web app and i m using HTTPS with a valid SSL certificate but still my data can be seen by the paros on the network
and yes the java code could be a servlet or a JSP.

Can some one please help me out in the above mentioned subject.


Heh - it looks like Paros may be misleading in this case. While you may very well have a valid SSL certificate on your web server, it looks like the staff at Paros are recommending you set the proxy on your web browser for both your secure and insecure data to point to their software, using the same port. I am almost certain that this will result in Paros either not using SSL whatsoever, or using zero-bit encryption (in other words, no encryption) to get to your data.

So - yes, configuring your system in that way will result in breaking the security of your system, and all data that you thought should be encrypted will actually be in plain text until after it leaves the Paros application.
 
Andrew Monkhouse
author and jackaroo
Marshal Commander
Pie
Posts: 11914
209
C++ Firefox Browser IntelliJ IDE Java Mac Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually I may have spoken too soon - it appears on a little further analysis that it can be configured to use your certificate, as long as you provide the security phrase.

Same result though - if you are providing the pass phrase, then it can decrypt all the information that is normally encrypted by SSL.

I really hope you are not doing this with a production SSL certificate. Of if you are, I hope you have read through all the source code of Paros.
 
ganeshraj kumar
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello friends,

I am also facing the same problem.

I want a way to encrypt any given data string with the help of java script and the output encrypted string should be given as a input to the java code(servlet) to decrypt the encrypted string to its original form.

Please any one help me with the code.
I will be very thankful to you all.

the reason for not using SSL certificate is:

1.we are using for an internal site for which we are using an ip address to access the website.And if we use ssl for this purpose,we are not able to delete the security alert coming for this ssl.And my clients dont want this security alert.And i foung there is no way to disable this security alery unless if we have proper website name.

This is the reason why i want to go for java script encryption and servlet decryption technology.

Could you pl anyone help me in this regard.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is the reason why i want to go for java script encryption and servlet decryption technology.

This is a rather unusual threat scenario - you trust the client, but not the network? In an internal application? What, exactly, are you trying to guard against? Done by whom?
 
ganeshraj kumar
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Dittmer,

Thanks for your reply.

I found there is no way to disable the security alert unless i use a proper name for the website which is not possible for an intranet application.

I want to secure all my data when i transfer(means when i submit the data from the form) from client(IE or mozilla) to server(tomcat ).It should not get caught by any one on the network.

i.e when i submit my data in html form ,the data should be encrypted and transfer to the server and i need to decrypt the data in the sever side.Which means on the way from client to server i want to gaurd the data...

Could you pl help me out in this regard........

Thanks.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you trust all client users -that's implicit by using JavaScript encryption-, then who is the person you are trying to protect the data from? Who can listen in on the internal network, but is not an authenticated user?

A much, MUCH, better solution would be to use a hostname instead of an IP address, and then to use a properly signed certificate.
 
hrrepka com
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here you can find out how to encrypt in javascript and decrypt in Java using AES alghoritm with counter mode:

http://www.hrrepka.com:8080/app/rijndael.iface
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic