Well this is not the better way but it can give you an idea.
In this case your goal is to find a way where reversing the password is
impossible or too difficult, Its clear that the major weakness of the
method used below is my random number generator!
Check the example: password=='2a74' this is where you find out is the
password is correct.
BTW 2a74 = DynAPI (case sensitive ;)
<HTML>
<HEAD>
<SCRIPT LANGUAGE=javascript>
<!--
function rnd(){
this.addr=41 //there are some sets of number that makes
this work better
this.mult=49 //but I cant remember the rules to choose
them :(
this.norm=65535
}
rnd.prototype.pop=function(seed){
return ((seed*this.mult+this.addr) % this.norm)
}
function crypt(str){
var tmp=0,x=new rnd()
for(var i=0;i<str.length;i++){
tmp+=str.charCodeAt(i)
tmp+=x.pop(str.charCodeAt(i))
}
tmp=x.pop(tmp)
return tmp.toString(24)
}
function test(password){
password=crypt(password)
if(password=='2a74')
alert('Ok')
else alert('try again')
return 0
}
//-->
</SCRIPT>
</HEAD>
<BODY>
<FORM name="frm">
<INPUT type="password" name="pass"><INPUT type="button" value="check"
onclick="test(document.frm.pass.value)">
</FORM>
</BODY>
</HTML>
I apologize for my statement, of course you read the page. Then,
contrary to your previous email (>"you use the public key to decrypt.")
, you must have read that you do need a private key for decryption? Not
to get too far off topic (this isn't an encryption list), all I'm saying
is that any of the key-based encryption/decryption algorithms would be
hard to implement securely with javascript . I'm hoping someone shows
an implementation that does this. The whole idea is that this isn't
exactly trivial, and it's certainly more involved than just two words
(RSA encryption or what you call encription
;) ), if you know what I mean :P
We can always continue this conversation off the email list as well :)
--JC
----- Original Message -----
From: "Doug Melvin" <[EMAIL PROTECTED]>
To: "Josh Chu" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
"Dynapi-Help" <[EMAIL PROTECTED]>
Sent: Thursday, November 29, 2001 4:52 PM
Subject: Re: [Dynapi-Help] theoretical javascript question
> Of course i read the fucking page.
> We even use that here for secure messaging.
>
> ----- Original Message -----
> From: "Josh Chu" <[EMAIL PROTECTED]>
> To: "Doug Melvin" <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>; "Dynapi-Help"
> <[EMAIL PROTECTED]>
> Sent: Thursday, November 29, 2001 5:41 PM
> Subject: Re: [Dynapi-Help] theoretical javascript question
>
>
> > I don't mean to be harsh, but did you read the link that you gave
> > (http://www.orst.edu/dept/honors/makmur/ ) or were you just feeling
lucky
> > with google? I don't profess to be a RSA encryption expert by any
means,
> > but it's quite clear that you encrypt using a known public key, and
> decrypt
> > using the cipher's private key. This is one of the fundamentals of
> > key-based encryption/decryption. Please keep reading if this isn't
quite
> > clear.
> > Here's a encryption/decryption scenario of users sending emails, as
> > I understand it:
> > 1) You send an encrypted email to me by using my public key. You
> > also include your public key for me to encrypt the message when I
> > reply back
to
> > you.
> > 2) I receive the message. Noone along the way is able to decipher
> > the message unless they have my private key. When I want to view
> > the
message,
> I
> > use my private key to decrypt it.
> > 3) When I reply back to you, my mail program encrypts the message
> > using
> your
> > public key provided on your original message.
> > 4) You receive the email message. Noone along the way is able to
decipher
> > the message unless they have your private key. When you want to
> > view my reply, you use your private key to decrypt it.
> > 5) and on and on.
> >
> > Now this is the idea as I understand it. If I'm way off base,
> > someone
> please
> > set me straight ;)
> > To relate this idea to using javascript for encryption/decryption,
> > let's take a look at a scenario of client-side password validation
> > as Jonah
had
> > originally specified. Let's make the example simple and say we have
> > a variable defined in javascript (var passwd = "fdjX3!bc@") that
represents
> an
> > encrypted password. The user will be presented a form in which to
> > enter
a
> > password. The javascript password variable will then be decrypted
> > and compared to the password the user entered. In order for this
> > decryption
to
> > occur, the javascript will need the private key that they password
> > was originally generated with. Hence, the client will need access
> > to the private key, which indeed makes the key a PRIVATE KEY THAT IS
> > PUBLIC. Obviously, this is not good. Like I mentioned, there may be
> > workarounds
> for
> > this. But to have a pure client-side validation technique I think
> > would
be
> > difficult to do. By all means, I hope this is wrong, because it
> > would be very cool to see encryption/decryption done "securely" with
> > javascript.
> >
> > --JC
> >
> > ----- Original Message -----
> > From: "Doug Melvin" <[EMAIL PROTECTED]>
> > To: "Josh Chu" <[EMAIL PROTECTED]>;
> > <[EMAIL PROTECTED]>; "Dynapi-Help"
> > <[EMAIL PROTECTED]>
> > Sent: Thursday, November 29, 2001 4:02 PM
> > Subject: Re: [Dynapi-Help] theoretical javascript question
> >
> >
> > > uh, private key? the private key is PRIVATE..
> > > you use the public key to decrypt.
> > >
> > > Simply put, aside from SSH and SSL, I don't believe you will find
> > > a
> better
> > > solution.
> > > Sorry.
> > > That is just _my_ opinion tho.
> > > :-)
> > > ----- Original Message -----
> > > From: "Josh Chu" <[EMAIL PROTECTED]>
> > > To: "Doug Melvin" <[EMAIL PROTECTED]>;
> > > <[EMAIL PROTECTED]>; "Dynapi-Help"
> > > <[EMAIL PROTECTED]>
> > > Sent: Thursday, November 29, 2001 4:58 PM
> > > Subject: Re: [Dynapi-Help] theoretical javascript question
> > >
> > >
> > > > Again the problem , especially with using key-based encryption
> > algorithms
> > > > like RSA, is that you have to have the public and private keys
> > > > in
> order
> > to
> > > > perform the encryption/decryption. Encryption isn't the
> > > > problem,
> since
> > > you
> > > > can encrypt the password or field just using the public keys.
> > > > The
> > problem
> > > > lies when you need to decrypt the cipher, which requires using a
> private
> > > > key, which is really hard to make private if you have a .js file
> > > > out
> on
> > > the
> > > > web that contains this key. To make this more clear, if you
> > > > have a javascript program that is running on a users browser,
> > > > then to
decrypt
> a
> > > > cipher, that program will have to read the private key from
somewhere
> on
> > > the
> > > > web. Hence, anyone who can run this javascript can also do
view
the
> > > > private key necessary to decrypt the cipher. Obviously this is
> > > > not
> very
> > > > secure. I guess one workaround for this would be to store the
private
> > key
> > > on
> > > > the client (via a cookie -- document.cookie manipulation) and
> > > > always
> > > decrypt
> > > > using the private key stored on the client. I've never
> > > > attempted
this
> > > > however, so if you can get a prototype working, that would be
> > > > very interesting. --JC
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Doug Melvin" <[EMAIL PROTECTED]>
> > > > To: <[EMAIL PROTECTED]>; "Dynapi-Help"
> > > > <[EMAIL PROTECTED]>
> > > > Sent: Thursday, November 29, 2001 3:07 PM
> > > > Subject: Re: [Dynapi-Help] theoretical javascript question
> > > >
> > > >
> > > > > two words:
> > > > > RSA encription. http://www.orst.edu/dept/honors/makmur/
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Jonah" <[EMAIL PROTECTED]>
> > > > > To: "Dynapi-Help" <[EMAIL PROTECTED]>
> > > > > Sent: Thursday, November 29, 2001 2:31 PM
> > > > > Subject: [Dynapi-Help] theoretical javascript question
> > > > >
> > > > >
> > > > > > Would it be possible, in theory, to securely validate a
> > > > > > password
> > > client
> > > > > > side?
> > > > > >
> > > > > > Obviously, simple string matching would not work because the
> client
> > > > could
> > > > > > view the source to find the correct password.
> > > > > >
> > > > > > But I have this vague notion (my upper level math skills are
very
> > > > rusty):
> > > > > >
> > > > > > Parsing the password up into characters perhaps, converting
> > > > > > the
> > chars
> > > > > > to numbers, and then passing the numbers into the variables
> > > > > > of a
> set
> > > > > > of non-linear equations that must be solved simulataneously
> > > > > > (in
> > > > > javascript,
> > > > > > a set of functions that must return true simultaneously). I
have
> no
> > > > idea
> > > > > > how you could generate the necessary difficult-to-solve set
> > > > > > of
> > > equations
> > > > > > given a particular password, but am curious to know if such
> > > > > > an
> > > approach
> > > > > > is viable even in theory. Anyone have any ideas?
> > > > > >
> > > > > > Thanks,
> > > > > > Jonah
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Dynapi-Help mailing list [EMAIL PROTECTED]
> > > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Dynapi-Help mailing list [EMAIL PROTECTED]
> > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > >
> > >
> > >
> >
> > _______________________________________________
> > Dynapi-Help mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/dynapi-help
>
>
_______________________________________________
Dynapi-Help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/dynapi-help
_______________________________________________
Dynapi-Help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/dynapi-help
