Hi, thank you all for the reply. SSL/TLS is mandate. Along with that I need to client-side password encryption also. Here is one possibility - https://groups.google.com/forum/#!topic/crypto-js/TAaHW2xcAV0
Please let me know where I should make changes in CAS (server-side decryption) in order to achieve the goal. Client-side encryption I am doing in casLoginView.jsp Thanks On Wednesday, September 24, 2014 6:42:30 PM UTC+5:30, Waldbieser, Carl wrote: > > > If SSL/TLS is not available, you are going to have a lot of problems. > Simply encrypting the password is not going to solve them. > > Here are some questions you might think about: > > For symmetric encyption/decryption to work, the browser and the server > must both have access to a shared secret. > How is the browser going to get the secret in the first place? > > SSL provides identity, confidentiality, and integrity. Simply encrypting > the password will not provide all 3 of these. > E.g. how is this going to prevent a man-in-the-middle attack? How can a > client be sure it is connected to the CAS server? > > How can you be sure the information being sent is not tampered with? If > an attacker sits in the middle and gets its hands > on the response, it can steal the TGC, and change the redirect so the > client goes wherever it chooses to send it! > > Thanks, > Carl Waldbieser > Systems Programmer > Lafayette College > > ----- Original Message ----- > From: "Anshika" <[email protected] <javascript:>> > To: [email protected] <javascript:> > Cc: [email protected] <javascript:>, [email protected] > <javascript:>, "marvin addison" <[email protected] <javascript:>> > Sent: Wednesday, September 24, 2014 8:16:07 AM > Subject: Re: [cas-user] client side password encryption > > Thanks for clarification. I do support your advise. > > However in case SSL is not available, then how can we implement this > browser side encryption. Pls suggest. > > > On Wednesday, September 24, 2014 5:23:50 PM UTC+5:30, Marvin Addison > wrote: > > > > > I think he refers to the client side (the browser) encrypting the > > password, shipping that through to the server, and the server decrypting > > it. > > > > It's hard to imagine what additional security that would provide in > > addition to SSL/TLS transport security that encrypts the entire form > > payload including the password. The security characteristics are the > > same: the client has access to the cleartext password and the server > > has access to the decryption key to decrypt the ciphertext. You add > > some new problems like browser support for encryption and symmetric > > key exchange/management. I would strongly advise against it. > > > > M > > > > -- > > You are currently subscribed to [email protected] <javascript:> > as: > > [email protected] <javascript:> > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
