7

I'm creating a server which can store cookies on the web that will contain application settings. The server will accept any data, but I want to encrypt all the settings before storing them in a cookie and decrypt them when reading them out. So I can store very sensitive data like Account Usernames & Passwords in the cookies and the server cannot do anything with it.

My question is now: What is the best way to encrypt such data with a password in JavaScript on the client side? What is the most secure?

I need some code that I can embed into my site and use it from there.

Van Coding
  • 24,244
  • 24
  • 88
  • 132

3 Answers3

14

I'd recommend using AES encryption in your JavaScript code. See Javascript AES encryption for libraries and links. The trouble you'll have is picking a key that is only available on the client side. Perhaps you can prompt the user? Or hash together some client system information that's not sent to the server.

Community
  • 1
  • 1
WhiteFang34
  • 70,765
  • 18
  • 106
  • 111
2

You could try a Vernam Cypher with the password.

Basically you use the password as the key and then XOR the string to encrypt with the password. This can be reversed as well.

Here is a wikipedia page this type of encryption http://en.wikipedia.org/wiki/XOR_cipher

Example Code

function encrypt(key, value) {
  var result="";
  for(i=0;i<value.length;++i)
  {
    result+=String.fromCharCode(key[i % key.length]^value.charCodeAt(i));
  }
  return result;
}

function decrypt()
{
 var result="";
  for(i=0;i<value.length;++i)
  {
    result+=String.fromCharCode(key[i % key.length]^value.charCodeAt(i));
  }
  return result;
}

I haven't tested this but its probably close. you will notice the encrypt and decrypt functions should be identical

John Hartsock
  • 85,422
  • 23
  • 131
  • 146
  • 1
    Don't roll your own crypto. The proposed solution requires 1) Key which is as long as the value encrypted 2) Suffers from statistical attacks: if you encrypt more than one value with the same key, malicious party will likely be able to decrypt both values – psla Jan 29 '21 at 23:08
1

EDIT: Misunderstood your question. Check out this question instead:

What encryption algorithm is best for encrypting cookies?

Community
  • 1
  • 1
Hubro
  • 56,214
  • 69
  • 228
  • 381
  • This is not exactly what OP was asking. – John Hartsock Apr 25 '11 at 20:34
  • Ok, re-reading the OP's question a few times I admittedly misunderstood his question. I think my link to the similar, old question should deserve you removing your -1 though :) – Hubro Apr 25 '11 at 20:37
  • I cannot hash the passwords. My app is built to not need an account, but it supports many API's like DropBox, FTP, SFTP and many other things. It's a development environment. So they'll need to enter some account information that is needed to access the APIs. I don't want that users of the app need a account to use it. They can save all their data in such a cookie. Later I'll make all the code open source, so many other people will host the app. And maybe the people want to host their own cookie servers, too. I don't want to store any userdata on my server. I'll be just a provider of the app. – Van Coding Apr 25 '11 at 20:39
  • Let's hope that person has a habit of checking in on his downvotes :3 – Hubro Apr 25 '11 at 20:40
  • @FlashFan: I've updated my answer :) Sorry for misunderstanding your question – Hubro Apr 25 '11 at 20:41
  • 1
    @Codemonkey: I gave you a +1 for changing your answer the right way ;) – Van Coding Apr 25 '11 at 20:45