SSL would probably be the most practical solution, and would be acceptable
to the clients of the products. I have not done much work in Java or
Javascript, but I am not sure how the arithmetic required for the encryption
code could be managed in Javascript. (Implement it in an applet, instead?).
I have tinkered around with n-bit arithmetic in C/C++, and felt never too
sure whether the implementation was correct through the range of number
covered by the bit length :)
Could the Javascript be hidden, at least at a superficial level, by defining
it in a separate file which is included via the SRC tag, or using
document.write(...). It has been my observation that viewing the source from
the browser, simply displays these including tags, and not the script code.
- meghadri
-----Original Message-----
From: Mikhail A.Golovanov <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Monday, January 31, 2000 7:49 PM
Subject: Re: Encryption !!
>There are a lot of cryptography samples in java around - you can
>use them to encode passwords and save them encoded to the password file.
>Here is my method - I do not remember where did I find it, only that it is
>RSA-based. Here is the password encoder using the password itself as a
>public key:
>
> public String encrypt( String Password )
>
>
> String retval = "";
> if( Password == null || Password.length() == 0 ) return retval;
> byte[] Bytes = Password.getBytes();
> BigInteger PrivateKey = new BigInteger( Bytes );
> while( !PrivateKey.isProbablePrime( 100 ) ) PrivateKey =
>rivateKey.add( m_ONE );
> BigInteger PublicKey =
>PrivateKey.modInverse( m_PrimeX.subtract( m_ONE ).multiply( m_PrimeY.subtra
c
>t( m_ONE ) ) );
> byte[] temp;
> int BigDigitsLength = Bytes.length / 8 + ( Bytes.length % 8 > 0 ? 1 :
>0 );
> BigInteger[] bigdigits = new BigInteger[ BigDigitsLength ];
> for( int i = 0; i < Bytes.length; i += 8 )
>
>
> temp = new byte[ 8 ];
> for( int j = 0; j < 8; j++ )
> if( i + j < Bytes.length ) temp[ j ] = Bytes[ i + j ]; else temp[ j ]
>= 0;
> bigdigits[ i / 8 ] = new BigInteger( temp );
> }
> //BigInteger[] encrypted = new BigInteger[ bigdigits.length ];
> try
>
>
> StringBuffer retbuf = new StringBuffer();
> for( int j = 0; j < bigdigits.length; j++ )
> retbuf.append( bigdigits[ j ].modPow( PublicKey,
>m_Modulo ).toString() );
> retval = retbuf.toString();
> }
> catch( Exception e ) { return retval; }
> return retval;
> }
>
> ...
> // RSA data
> private static final BigInteger m_PrimeX = new
>BigInteger("13529597555908415873");
> private static final BigInteger m_PrimeY = new
>BigInteger("12126300757719360319");
> private static final BigInteger m_Modulo = new
>BigInteger("164063969093850228837190614238185943487");
> // A BigInteger representation of the number one.
> private static final BigInteger m_ONE = new
>BigInteger("1");
>
>Password validation consists of
>- encrypting the user provided password and
>- comparing it to the stored one for that user.
>
>Do not worry of cracking - it's not an easy task to decrypt the password
>encrypted this way - it's 64-bit RSA - even if the numbers used are
>permanent. If you want please do decrypt my favorite password:
>
>113089639727704902357479481329649526643
>
>
>-----Original Message-----
>From: A mailing list for discussion about Sun Microsystem's Java Servlet
API
>Technology. [mailto:[EMAIL PROTECTED]]On Behalf Of Martin
Jarvis
>Sent: Monday, January 31, 2000 1:14 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Encryption !!
>
>
>Wouldn't SSL be a better solution? After all, if you use JavaScript to
>perform the encryption, the Javascript code will be visible to anyone
>capable of doing a view source and therefore your password encryption
>routines would be easily crackable.
>
>Regards,
>
>Martin
>
>-----------------------------------------------------------------
>Principal Consultant
>ATS-EMEA
>Oracle Corporation
>
>----- Original Message -----
>From: Ramakanth Padmanabhan Sengamedu <mailto:[EMAIL PROTECTED]>
>To: <mailto:[EMAIL PROTECTED]>
>Sent: Monday, 31 January 2000 9:53 am
>Subject: Encryption !!
>
>
>> hi
>> Has anybody done encryption of passwords in javascript used in
>login
>> page of the application and in servlets too. Can u share the code. thanx
>in
>> advance
>> Ramakanth
>>
>>
>___________________________________________________________________________
>> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
>body
>> of the message "signoff SERVLET-INTEREST".
>>
>> Archives: http://archives.java.sun.com/archives/servlet-interest.html
>> Resources: http://java.sun.com/products/servlet/external-resources.html
>> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>>
>
>___________________________________________________________________________
>To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
>of the message "signoff SERVLET-INTEREST".
>
>Archives: http://archives.java.sun.com/archives/servlet-interest.html
>Resources: http://java.sun.com/products/servlet/external-resources.html
>LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
>___________________________________________________________________________
>To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
>of the message "signoff SERVLET-INTEREST".
>
>Archives: http://archives.java.sun.com/archives/servlet-interest.html
>Resources: http://java.sun.com/products/servlet/external-resources.html
>LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
