0

just like the title said, how could I encrypt password before I send it to server via ajax, and then decrypt it in php (since JS run in client side, and php run in server-side, I don't know how to encrypt and decrypt using a same scenario/algorithm)? Currently I'm using laravel as for the framework. Some people said that I should use https, but I want to avoid using this.

I appreciate any link or tutorial.

Yudi Chang
  • 428
  • 7
  • 17
  • 1
    Just out of curiosity, why do you avoid `https`? And to be on topic, maybe this can help http://stackoverflow.com/questions/5724650/ssl-alternative-encrypt-password-with-javascript-submit-to-php-to-decrypt – Alex Tartan Oct 30 '15 at 08:11
  • I'm not really sure about this, but my professor (expert in internet protocol) said that https is pretty heavy to use (not in term hard to use or implement) – Yudi Chang Oct 30 '15 at 08:23
  • `https` does indeed create some overhead, but if you're not keen on optimizing every millisecond of a request, you're better off using it. Facebook, for instance loads everything through `https`. And it does hundreds of requests. Just think about that. – Alex Tartan Oct 30 '15 at 08:27
  • @YudiChang your Professor sounds like someone that is not so knowledgeable. There is a very slight SSL-overhead and HTTPS can be marginally slower than HTTP but nothing you'd ever notice. Plus, you can tweak HTTPS to have better performance. – IllegalPigeon Oct 30 '15 at 08:28
  • If you assume an active attacker, then you can't do this without TLS (https). – Artjom B. Oct 30 '15 at 08:59

4 Answers4

2

Any encryption you do client side isn't going to be safe as the code that is used for encrypting will be easily visible.

Why do you want avoid using https? that by definition will send data encrypted.

G.H
  • 317
  • 1
  • 7
  • I'll just repeat the comment I post above "I'm not really sure about this, but my professor (expert in internet protocol) said that https is pretty heavy to use (not in term hard to use or implement)" – Yudi Chang Oct 30 '15 at 08:23
  • Pretty heavy to use ? what does he mean? I would ask him to qualify his statement. – G.H Oct 30 '15 at 10:06
2

I would prefer rsa encryption.

Encrypt your password with the public rsa key with Javascript and send the string to the server.

You can use this library to encrypt: https://github.com/travist/jsencrypt

Decrypt it with your private rsa key with php:

Encrypt and Decrypt text with RSA in PHP and Integrate phpseclib into Laravel 5

Community
  • 1
  • 1
cre8
  • 13,012
  • 8
  • 37
  • 61
0

javascript's base64 btoa(string) will help encode password , In laravel can decrypt by using base64_decode($string)

Suresh Velusamy
  • 2,338
  • 19
  • 24
0

There is a simple rule in writing server application: Never trust the user data. Similarly the client side validation.

Users who know basic JavaScript can enter malicious data and break into your application.

You could consider the following public key cryptography js libraries

pidCrypt

https://github.com/ncb000gt/node.bcrypt.js/

Remember, if you do not use SSL you may be vulnerable to attacks.

Hope this is helpful.

ArtisanBay
  • 1,001
  • 11
  • 16