1

i have a scenario where i have to encrypt on the server side(using java) and decrypt the same data on the client side (using any JavaScript library) using asymmetric key cryptography because we want to send some sensitive information from the server side.so my question here is -

  1. is it really possible? if yes how?
  2. if no ? why?

if it is really possible then please provide any link or any example to start off and please provide alternatives only if it is not possible(i know we have SSL for that but please keep this aside ).

any help is greatly appreciated.

Novice
  • 401
  • 7
  • 27
  • 1
    Is the javascript being run in a web browser or is it something like a Node.js library? What I'm getting at is: If you have to send the JavaScript library to the other party (Web Browser) then you MUST use SSL to protect against man-in-the-middle attacks. However, if it is Node.js and the end 'user' already has the JavaScript code (and you can verify it's origin) then you might be able to find a solution. – Randy May 15 '14 at 14:18
  • See the #1 answer from here for more information: http://stackoverflow.com/questions/6116883/are-there-any-asymmetric-encryption-options-for-javascript – Randy May 15 '14 at 14:20

2 Answers2

3

I'm going to go ahead and leave an answer:

It is impossible to protect from a Man-In-The-Middle attack without SSL. If someone were to launch such an attack, they could simply modify the JavaScript to remove any encryption you are using - or simply use the data after it's been decrypted.

In short: Yes, it's possible to encrypt and decrypt data in JavaScript, however, it is not truly protected.

See this answer for additional information: https://stackoverflow.com/a/6121236/2155492

Community
  • 1
  • 1
Randy
  • 4,351
  • 2
  • 25
  • 46
  • thanks, but i think you are talking about encrypting at the client side and decrypting at the server side and i am talking the opposite here. – Novice May 15 '14 at 14:36
  • 1
    It doesn't matter which direction you need to encrypt or decrypt. By using insecure HTTP, you open up the possibility for someone to sit in the middle between the server and the client. They can change your javascript to do whatever they want. They could simply add a function which sends that data to their server after your javascript decrypts the encrypted message. – Randy May 15 '14 at 14:40
1

In my opinion it is possible but pointless

  1. You have to send the key with the encrypted data
  2. Your javascript code is visible.

It may be possible if you generate the keys dynamically and tie them to a session so everyone using them will have unique key but I think it's still not very safe.

Ehwas
  • 11
  • 1
  • thanks for the reply. can you provide me any link describing the process how to do that, means generating the unique (i think private) key and tying them to a session? – Novice May 15 '14 at 14:31