2

I want to encrypt a string in Javascript and pass that string trough GET to PHP and decrypt that string in PHP.

How can I keep the string secret in Javascrpt?

For example I use CryptoJS crypt(message, secret_passphrase), how can I keep users away from viewing the secret passphrase with View Source?

I can't use any server side programming. I am using the Javascript code within a Sharepoint page, and server side programming would require Visual Studio. Actually I want to send an encrypted string from Sharepoint to PHP containing the current user's username so I can authenticate the user in PHP directly, without a login page (I decrypt it and compare it to some usernames in the MySQL datatbase, and if the username was found, I can proceed with the login).

I mentioned this so you can get the big picture of what I am doing.

Hello Lili
  • 1,527
  • 1
  • 25
  • 50
  • Why does `secret_passphrase` need to be hidden as they can see `message`? HTTPS/TLS is what to use for transport security. – Alex K. May 06 '15 at 13:21
  • It is pointless to encrypt the string through javascript as the key will be publicly available. Just use SSL/TLS (HTTPS) and your problem is solved. – Jonathan May 06 '15 at 13:21

3 Answers3

4

If you cannot do the server way, there is no absolute way of doing this from JavaScript. Since all the JavaScript files are downloaded to the client browser, the user has the access to those files. With a little effort, he can crack the code.

You might want to have a look at obfuscation of JavaScript. Please see the this SO

Community
  • 1
  • 1
aksappy
  • 3,400
  • 3
  • 23
  • 49
2

One possible solution is to have a different secret key for each browser session stored in local storage.

// Generate secret key
var key = "???";

// Store in local storage
localStorage.setItem('key', key);

Then when you need to encrypt something:

var key = localStorage.getItem('key');
var secure = crypt(message, key);

In this way, the key is localized to the users browser meaning it doesn't matter if they know it or not since they are most likely the user who created the message in the first place.

Jeremy Harris
  • 24,318
  • 13
  • 79
  • 133
  • How is the server suppose to decrypt it without knowing the key? – Jonathan May 06 '15 at 13:23
  • @Augwa I want to decrypt it in PHP and I'll know the key because I'll be the one creating it – Hello Lili May 06 '15 at 13:23
  • OP said `I can't use any server side programming`, but then mentions PHP. So, not sure exactly which it is. – Jeremy Harris May 06 '15 at 13:24
  • @Augwa I can control PHP, the only thing I can't do server-side is the Javascript part from Sharepoint – Hello Lili May 06 '15 at 13:24
  • @HelloLili The client needs to know the key and since you'll have to include it in your javascript you've just removed the benefit of the encryption because the key is public able available. As we've mentioned in the comments above that's the purpose of using HTTPS. – Jonathan May 06 '15 at 13:25
  • A possible compromise is to generate a new key for each *session* (meaning PHP knows about it) and output it into your javascript. Either way, as @Augwa said, you should be using HTTPS here regardless. – Jeremy Harris May 06 '15 at 13:27
1

Like aksappy said, everything in Javascript is per definition available, so the key, if there is a key won't be hidden. If this is about to transmit usernames, there is no need IMO to crypt them. The possibility for attackers to know usernames relies on the protocol used. So, you should use HTTPS instead of HTTP.

Denis Leger
  • 213
  • 2
  • 7