0

In my ASP.NET MVC application Im not using SSL but I need to send password in encrypted form to server. I need some implementation like this:

in C# code : Generate public, private keys send the public key to client(JS code)

in JS code: encrypt the password using the public key

in C# code: decrypt the encrypted password

how to achieve this?

A.R
  • 409
  • 8
  • 21
  • 2
    This looks like a perfect opportunity for Man-in-the-middle attack. – prq Apr 22 '14 at 08:34
  • 2
    I can highly recommend NOT making this all yourself. Using an SSL certificate definitely is the way to go and by creating it yourself you'll only create more possible errors. The certificates don't cost that much these days anyway. If you're interested in it I would refer you to this question: [stackoverflow - Simple string encryption in .NET and Javascript](http://stackoverflow.com/questions/746347/simple-string-encryption-in-net-and-javascript) – janpieter_z Apr 22 '14 at 08:37
  • MD5 or SHA encryption with a salt (maybe the public key used as salt) is pretty universal and should allow you to encrypt with JavaScript before sending the password to the server-side code. You wouldn't need to decrypt since you should be storing encrypted passwords anyway. So comparing the received encrypted password and comparing it to the username & password stored on your side, should get you what you want without having to resort to SSL. – user3036342 Apr 22 '14 at 08:43
  • I need to decrypt. I validate network login as well as DB users. – A.R Apr 22 '14 at 08:47
  • This question http://stackoverflow.com/questions/19418021/rsa-encrypt-password-in-javascript-but-failed-to-decrypt-that-in-c-sharp provides partial answer to my question. Partial because the problem reported in the question does not seem to have been solved – A.R Apr 22 '14 at 10:39

0 Answers0