Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: C# ASP.NET Javascript jQuery , +
Hi, I want to encrypt my password using jquery/javascript and then decrypt it using c# at server side, can anyone tell me the simplest way to accomplish it. Thanks
Posted 5-Jun-13 11:04am
Comments
Prasad Khandekar at 5-Jun-13 16:10pm
   
Doing so will expose the secret key to preying eyes. Instead try and use a hash function such as SHA-1, MD-5 etc. And on the server side user one more hash with a known random salt to compare it with the value stored in database. In your database you can store the password in $SALT$HASH where HASH is computed by SHA-1(SALT + SHA-1(PLAIN-TEXT PASSWORD)).
Sergey Alexandrovich Kryukov at 5-Jun-13 16:23pm
   
I are right basically, but not about SHA-1 — it's found vulnerable (broken), please check with Wikipedia.
 
I provided a detailed answer, please see.
 
—SA
Prasad Khandekar at 5-Jun-13 16:31pm
   
You are absolutely right, In a real world application one should be using SHA-256 and not SHA-1, MD-5. +5
ryanb31 at 5-Jun-13 16:21pm
   
If you just use SSL you don't need to encrypt it on the client side. What are you actually trying to accomplish?
Sergey Alexandrovich Kryukov at 5-Jun-13 16:25pm
   
Good point. True, but even under SSL wrong use of password may create security leak. That's why it's good to understand the principles — please see my answer.
—SA
Sergey Alexandrovich Kryukov at 5-Jun-13 16:28pm
   
I added [EDIT] to my answer, crediting this comment. Thank you very much.
—SA
itsseven7 at 5-Jun-13 16:40pm
   
Basically, I'm making an Ajax call to know if the credentials entered by users are authenticated, and that's the reason I want to encrypt the password at client side as on client side password having plain text is not a good idea. Also my scenorio is, doing it without SSL
Sergey Alexandrovich Kryukov at 5-Jun-13 17:03pm
   
Than you can use my answer, with understanding of the potential vulnerability. Also, you can implement some SSL over HTTP, there are such projects. The point is: don't send a password, don't send a private (or the only) key. Hence, the cryptographic hash solution.
Your problem is solved.
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

Prasad is right, this is not how secret authentication is done. You should not really encrypt the password, but you can instead use a cryptographically strong hash function:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[^].
 
Now, you don't need to ever store a password anywhere. Instead, you should store passwords' hash value and compare hash to hash. So, the user creates password for a very first time. JavaScript creates its hash and delivers the value to the server side where it is stored. Next time, when a use is authenticating, it sends only the hash, and then the server side compares hash to hash.
 
I really strongly advise to use SHA256 (in particular, MD5 and SHA1 family of algorithms are found vulnerable): http://en.wikipedia.org/wiki/SHA256[^].
 
You can use JavaScript implementation of the algorithm. For example, here: http://www.webtoolkit.info/javascript-sha256.html[^].
 
And .NET provides comprehensive implementation if its BCL:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm.aspx[^],
http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha256.aspx[^].
 
[EDIT]
 
Please see the comment by ryanb31: this along won't be enough, as the hash value sent can also be eavesdropped by spying on IP packages and then the user post can be imitated. So, it needs SSL. However, I explained the principles of using the cryptographic hash.
 
—SA
  Permalink  
v2
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

Hi,
 
I have done same implementation for some of my clients, but approach was totally different from as describe above.
 
Client level encryption but that encryption key would be retrieved dynamically.
 
when user as for Log In page send the dynamic key from server based on that generate the encrypted password then send it to server.
 
Its best to build your own mechanize for encryption because all of a sudden you can change the whole logic.
 
I my case I have append the key with the password so always its show and new encrypted password, this way it became a dynamic encryption, I know its tough to understand via word but I cant share those codes as they are patent so if need some more clarification feel free to ask.
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 240
1 Kamal Rocks 184
2 BillWoodruff 173
3 PIEBALDconsult 160
4 CPallini 155
0 OriginalGriff 5,695
1 DamithSL 4,506
2 Maciej Los 4,007
3 Kornfeld Eliyahu Peter 3,480
4 Sergey Alexandrovich Kryukov 3,180


Advertise | Privacy | Mobile
Web03 | 2.8.141216.1 | Last Updated 6 Jun 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100