Click here to Skip to main content
15,867,568 members
Please Sign up or sign in to vote.
3.40/5 (3 votes)
Hi, I want to encrypt my password using jquery/javascript and then decrypt it using c# at server side, can anyone tell me the simplest way to accomplish it. Thanks
Posted
Comments
Prasad Khandekar 5-Jun-13 16:10pm    
Doing so will expose the secret key to preying eyes. Instead try and use a hash function such as SHA-1, MD-5 etc. And on the server side user one more hash with a known random salt to compare it with the value stored in database. In your database you can store the password in $SALT$HASH where HASH is computed by SHA-1(SALT + SHA-1(PLAIN-TEXT PASSWORD)).
Sergey Alexandrovich Kryukov 5-Jun-13 16:23pm    
I are right basically, but not about SHA-1 — it's found vulnerable (broken), please check with Wikipedia.

I provided a detailed answer, please see.

—SA
Prasad Khandekar 5-Jun-13 16:31pm    
You are absolutely right, In a real world application one should be using SHA-256 and not SHA-1, MD-5. +5
ZurdoDev 5-Jun-13 16:21pm    
If you just use SSL you don't need to encrypt it on the client side. What are you actually trying to accomplish?
Sergey Alexandrovich Kryukov 5-Jun-13 16:25pm    
Good point. True, but even under SSL wrong use of password may create security leak. That's why it's good to understand the principles — please see my answer.
—SA

Prasad is right, this is not how secret authentication is done. You should not really encrypt the password, but you can instead use a cryptographically strong hash function:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[^].

Now, you don't need to ever store a password anywhere. Instead, you should store passwords' hash value and compare hash to hash. So, the user creates password for a very first time. JavaScript creates its hash and delivers the value to the server side where it is stored. Next time, when a use is authenticating, it sends only the hash, and then the server side compares hash to hash.

I really strongly advise to use SHA256 (in particular, MD5 and SHA1 family of algorithms are found vulnerable): http://en.wikipedia.org/wiki/SHA256[^].

You can use JavaScript implementation of the algorithm. For example, here: http://www.webtoolkit.info/javascript-sha256.html[^].

And .NET provides comprehensive implementation if its BCL:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm.aspx[^],
http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha256.aspx[^].

[EDIT]

Please see the comment by ryanb31: this along won't be enough, as the hash value sent can also be eavesdropped by spying on IP packages and then the user post can be imitated. So, it needs SSL. However, I explained the principles of using the cryptographic hash.

—SA
 
Share this answer
 
v2
Hi,

I have done same implementation for some of my clients, but approach was totally different from as describe above.

Client level encryption but that encryption key would be retrieved dynamically.

when user as for Log In page send the dynamic key from server based on that generate the encrypted password then send it to server.

Its best to build your own mechanize for encryption because all of a sudden you can change the whole logic.

I my case I have append the key with the password so always its show and new encrypted password, this way it became a dynamic encryption, I know its tough to understand via word but I cant share those codes as they are patent so if need some more clarification feel free to ask.
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900