JAVAScript Public Key Encryption

Discussion in 'Javascript' started by webmaniac, Nov 20, 2008.

  1. webmaniac

    webmaniac Guest

    Hi,

    Does anyone knows How "JAVAScript Public Key Encryption" works?

    I am trying to secure my web page.
    The users are going to be log in to my website.
    I want to give them a 4 digit pin, that will match the Private key
    generated by JAVAScript Public Key Encryption algorithm. Something
    like that.

    Thanks
     
    webmaniac, Nov 20, 2008
    #1
    1. Advertising

  2. webmaniac

    Evertjan. Guest

    webmaniac wrote on 20 nov 2008 in comp.lang.javascript:

    > Does anyone knows How "JAVAScript Public Key Encryption" works?
    >
    > I am trying to secure my web page.
    > The users are going to be log in to my website.
    > I want to give them a 4 digit pin, that will match the Private key
    > generated by JAVAScript Public Key Encryption algorithm. Something
    > like that.
    >


    You cannot secure your webpage with clientside code, methinks.

    You could secure some information on a page, but what the heck,
    doing that serverside is better and easier.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Nov 20, 2008
    #2
    1. Advertising

  3. webmaniac

    webmaniac Guest

    On Nov 20, 12:29 pm, "Evertjan." <>
    wrote:
    > webmaniac wrote on 20 nov 2008 in comp.lang.javascript:
    >
    > > Does anyone knows How "JAVAScript Public Key Encryption" works?

    >
    > > I am trying to secure my web page.
    > > The users are going to be log in to my website.
    > > I want to give them a 4 digit pin, that will match the Private key
    > > generated by JAVAScript Public Key Encryption algorithm. Something
    > > like that.

    >
    > You cannot secure your webpage with clientside code, methinks.
    >
    > You could secure some information on a page, but what the heck,
    > doing that serverside is better and easier.
    >
    > --
    > Evertjan.
    > The Netherlands.
    > (Please change the x'es to dots in my emailaddress)


    Hi Evertjan,

    Lets say. Someone got registered at the website, the private key got
    generated by the Public key algorithm, Now user has to enter that
    Public key to access the system. But the public key is so long & we
    dont want the user to remember that big a key. Is there a way we can
    convert that key into a 4 digit pin. Do you know any algorithm that
    converts that key into a 4 digit pin.

    Thanks
     
    webmaniac, Nov 20, 2008
    #3
  4. webmaniac

    Evertjan. Guest

    webmaniac wrote on 20 nov 2008 in comp.lang.javascript:

    > Lets say. Someone got registered at the website,


    What does thet mean "Someone got registered at the website"

    > the private key got
    > generated by the Public key algorithm,


    Where is that generating code located, on clientside code?

    > Now user has to enter that
    > Public key to access the system.


    What system? On the server?

    > But the public key is so long & we
    > dont want the user to remember that big a key. Is there a way we can
    > convert that key into a 4 digit pin. Do you know any algorithm that
    > converts that key into a 4 digit pin.


    var publicKey = [];
    publicKey['2641'] = 'ThisisTheVeryLongKeyBlahBlahBlahBlahBlahBlahetc';

    Again, as in your subject line, you ask for encription.

    Why would you want to encript a public key anyway, as it is public?

    And why would you want to do that clientside?

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Nov 20, 2008
    #4
  5. webmaniac wrote:
    >
    > Lets say. Someone got registered at the website, the private key got
    > generated by the Public key algorithm, Now user has to enter that
    > Public key to access the system. But the public key is so long & we
    > dont want the user to remember that big a key. Is there a way we can
    > convert that key into a 4 digit pin.


    As with most security solutions created by non-experts, and most
    applications of cryptography created by non-experts, this is neither
    secure nor an appropriate use of cryptographic technology.

    Using an asymmetric key pair by itself as an authenticator is a lousy
    use of the primitive. It's vulnerable to replay attacks, for example.

    If the user's secret is a "public" key, then it's not secret, by
    definition. So your scheme makes no sense anyway. (Perhaps you meant
    that the user supplies the private key.)

    It's not clear why you think you need an asymmetric primitive at all.
    What are you gaining over a shared secret, or a secret and a verifier
    such as a cryptographic hash? Those are much more common
    authentication mechanisms.

    As Evertjan already pointed out, client-side security is rarely
    useful. If the user is verified by the client, the server has no
    grounds for trusting the verification.

    Can you reduce an asymmetric key to a 4-digit PIN? Sure. You can
    reduce it to a 1-digit PIN, too. But it would be stupid to do so.
    Decimal PINs are hard for users to remember, they're inconvenient to
    enter on systems that don't have numeric keypads, and they have little
    entropy (less than 14 bits for a 4-digit decimal PIN). If your system
    has any vulnerability that an attacker can exploit to guess PINs (and
    I bet it does), then it only takes an average of 5000 attempts to
    break it for a given user.

    In short: don't do this. Either employ an actual security expert to
    secure your site, or purchase a decent off-the-shelf package for it.

    --
    Michael Wojcik
    Micro Focus
    Rhetoric & Writing, Michigan State University
     
    Michael Wojcik, Nov 21, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Charles A. Lackman
    Replies:
    1
    Views:
    1,458
    smith
    Dec 8, 2004
  2. SpamProof
    Replies:
    0
    Views:
    654
    SpamProof
    Oct 21, 2003
  3. Larry Grant

    public key encryption javax.crypto

    Larry Grant, May 7, 2004, in forum: Java
    Replies:
    6
    Views:
    965
    Roedy Green
    May 8, 2004
  4. John Wells
    Replies:
    13
    Views:
    426
    nobody
    Aug 27, 2005
  5. Douglas S. J. De Couto

    OpenSSL for public/private key encryption

    Douglas S. J. De Couto, Mar 21, 2006, in forum: Ruby
    Replies:
    2
    Views:
    110
    Douglas S. J. De Couto
    Mar 21, 2006
Loading...

Share This Page