>>> Russell Neufeld <[EMAIL PROTECTED]> 10/14/99 2:57:49 PM
>>>
>Can you send me or post to this news group the javascript that you
used to
>encrypt the fields of the form before they are posted?
This might be beneficial to the whole list... It *is* an enormous
kludge though.
=-= First unencryption of pages sent to the browser encrypted, or
with encypted parts =-=
The JavaScript should be generated by the servlet when it produces
the page with the encrypted bits in.
The JS that is written must be a procedure to un-encrypt the
encrypted string.
To do the unencryption you call an applets method, the applet must be
present in the page and be set with some sort of key (ie: a username
or password).
This sort of code is used in outputting the servlet:
OutputStream out=resp.getOutputStream();
//set up the applet here.... by writing the tag to out
String ciphertext=CipherClass.doEncryption( "This is the clear
text" );
out.println("<script>");
out.println("var unencrypted=document.EncApplet.decrypt( \" ");
out.println( ciphertext );
out.println( " \" ) \n" );
out.println( " document.write( unencrypted );\n </script> " );
If the ciphertext=="jlhsfalOIUD825987ljsal'ej[hnv" then this will
produce the following HTML going to the browser:
<script>
var
unencrypted=document.EncApplet.decrypt("jlhsfalOIUD825987ljsal'ej[hnv");
document.write( unencrypted );
</script>
Which the browser will then deal with (as long as the applet is
loaded) so that what appears is simply the clear text version of the
ciphertext.
=-= Now encryption of variables to be sent to the server =-=
Form values that are sent to the browser need to be encypted by
having the submit on the form call a JS method to encrypt the values
(and base64 encode the ciphers - since ciphers often produce non
RFC1760 characters) store the ciphered-encoded values back in their
fields and then submit the form.
Here is an example JS procedure:
<script>
function doCipherSubmit()
{
document.SomeForm.IdField.value=
document.EncApplet(document.SomeForm.IdField.value);
document.SomeForm.PasswordField.value=
document.EncApplet(document.SomeForm.PasswordField.value);
document.SomeForm.submit();
}
</script>
and the accompanying HTML form:
<form method="GET" name="SomeForm">
<input type="text" name="IdField" value="Nic">
<input type="password" name="PasswordField" value="clearpassword">
<input type="button" name="submit" value="doit"
onClick="doCipherSubmit()">
</form>
Of course, you could write much better JS that took the form to
encrypt as an argument and worked out the fields to encrypt. You could
probably use a naming conventiion to decide which particular fields to
encrypt if you didn't want them all encypted.
=-= Other stuff =-=
One of the things I hope to do is build a generic servlet Writer and
applet for doing this. The Writer would be used by the servlet to add
the ciphertext parts and would include the neccessary cipher classes.
The Writer would have methods like:
println(String)
print(String) //normal methods
printlnCiphered(String cleartext)
printCiphered(String cleartext) //cipher methods
The cipher methods would output all the necessary JS to handle the
ciphering of the strings.
The only problem with this is how to ensure:
1. that the applet gets sent
2. that the applet is initialised with the key to the cipher text
properly
and also:
3. how to deal with stuff that must come FROM the client encrypted,
there is no easy solution to this except to define tags that get
picked up by the Writer automatically, but then one might as well use
GNU weblook, ECS or webmacro.
Other than these faily major obstacles the system would be a *half
way* decent alternative to SSL.
Nic Ferrier
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
