If SSL/TLS is not available, you are going to have a lot of problems. Simply encrypting the password is not going to solve them.
Here are some questions you might think about: For symmetric encyption/decryption to work, the browser and the server must both have access to a shared secret. How is the browser going to get the secret in the first place? SSL provides identity, confidentiality, and integrity. Simply encrypting the password will not provide all 3 of these. E.g. how is this going to prevent a man-in-the-middle attack? How can a client be sure it is connected to the CAS server? How can you be sure the information being sent is not tampered with? If an attacker sits in the middle and gets its hands on the response, it can steal the TGC, and change the redirect so the client goes wherever it chooses to send it! Thanks, Carl Waldbieser Systems Programmer Lafayette College ----- Original Message ----- From: "Anshika" <[email protected]> To: [email protected] Cc: [email protected], [email protected], "marvin addison" <[email protected]> Sent: Wednesday, September 24, 2014 8:16:07 AM Subject: Re: [cas-user] client side password encryption Thanks for clarification. I do support your advise. However in case SSL is not available, then how can we implement this browser side encryption. Pls suggest. On Wednesday, September 24, 2014 5:23:50 PM UTC+5:30, Marvin Addison wrote: > > > I think he refers to the client side (the browser) encrypting the > password, shipping that through to the server, and the server decrypting > it. > > It's hard to imagine what additional security that would provide in > addition to SSL/TLS transport security that encrypts the entire form > payload including the password. The security characteristics are the > same: the client has access to the cleartext password and the server > has access to the decryption key to decrypt the ciphertext. You add > some new problems like browser support for encryption and symmetric > key exchange/management. I would strongly advise against it. > > M > > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
