They also understand that the one-way hashes aren't unique, right?  Two
values may hash (or, more accurately, message digest) to the same value, but
that doesn't mean they're equal.

On Tue, Aug 3, 2010 at 2:24 PM, <mzem...@osc.state.ny.us> wrote:

> I have to laugh because I also agree its kind of crazy...
>
> Yes the original value must be hashed by the client.  The reasoning being
> that SSL could be broken and expose the data.  I don't necessarily agree
> but thats how the original system was written.
>
>
>
>
> James Carman <ja...@carmanconsulting.com>
> Sent by: jcar...@carmanconsulting.com
> 08/03/2010 02:19 PM
> Please respond to
> users@wicket.apache.org
>
>
> To
> users@wicket.apache.org
> cc
>
> Subject
> Re: Encrypt Form Fields Using JS
>
>
>
>
>
>
> And, you don't want to convert it before you store it in the db?  It must
> be
> converted at the browser level?  Is there any more information you can
> give
> us that would make this requirement not sound so crazy? :)
>
> On Tue, Aug 3, 2010 at 2:15 PM, <mzem...@osc.state.ny.us> wrote:
>
> > Correct
> >
> >
> >
> >
> > James Carman <ja...@carmanconsulting.com>
> > Sent by: jcar...@carmanconsulting.com
> > 08/03/2010 02:12 PM
> > Please respond to
> > users@wicket.apache.org
> >
> >
> > To
> > users@wicket.apache.org
> > cc
> >
> > Subject
> > Re: Encrypt Form Fields Using JS
> >
> >
> >
> >
> >
> >
> > So, you never need to get the original values out of the database?
> >
> > On Tue, Aug 3, 2010 at 2:10 PM, <mzem...@osc.state.ny.us> wrote:
> >
> > > An already existing system is being rewritten and the db currently
> > stores
> > > hashed values.  I don't disagree there are better ways to reach the
> end
> > > goal, but this is the spec I am working with.
> > >
> > >
> > >
> > >
> > > James Carman <ja...@carmanconsulting.com>
> > > Sent by: jcar...@carmanconsulting.com
> > > 08/03/2010 01:45 PM
> > > Please respond to
> > > users@wicket.apache.org
> > >
> > >
> > > To
> > > users@wicket.apache.org
> > > cc
> > >
> > > Subject
> > > Re: Encrypt Form Fields Using JS
> > >
> > >
> > >
> > >
> > >
> > >
> > > And, what does that buy you?  Why do you want to submit one-way hashed
> > > values?
> > >
> > > On Tue, Aug 3, 2010 at 1:37 PM, <mzem...@osc.state.ny.us> wrote:
> > >
> > > > Ok, the value will be hashed, one-way...anyone have any ideas?
> > > >
> > > >
> > > >
> > > >
> > > > James Carman <ja...@carmanconsulting.com>
> > > > Sent by: jcar...@carmanconsulting.com
> > > > 08/02/2010 04:42 PM
> > > > Please respond to
> > > > users@wicket.apache.org
> > > >
> > > >
> > > > To
> > > > users@wicket.apache.org
> > > > cc
> > > >
> > > > Subject
> > > > Re: Encrypt Form Fields Using JS
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Then it's not "encryption".  Encrypted data should be readable to
> > those
> > > > who
> > > > have the "key."
> > > >
> > > > On Mon, Aug 2, 2010 at 3:29 PM, <mzem...@osc.state.ny.us> wrote:
> > > >
> > > > > Thanks for the reply, that would work however per our business
> rules
> > > the
> > > > > encryption must be one-way and will not be decrypted...
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Igor Vaynberg <igor.vaynb...@gmail.com>
> > > > > 08/02/2010 03:23 PM
> > > > > Please respond to
> > > > > users@wicket.apache.org
> > > > >
> > > > >
> > > > > To
> > > > > users@wicket.apache.org
> > > > > cc
> > > > >
> > > > > Subject
> > > > > Re: Encrypt Form Fields Using JS
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > override getinputasarray() on the field and decrypt it there, that
> > way
> > > > > wicket sees the decrypted value
> > > > >
> > > > > -igor
> > > > >
> > > > > On Mon, Aug 2, 2010 at 12:14 PM,  <mzem...@osc.state.ny.us> wrote:
> > > > > > I totally agree, seems like double-duty that accomplishes very
> > > little,
> > > > > and
> > > > > > actually adds overhead.  But this is another debate and the
> > feature
> > > > has
> > > > > > been requested and must be implemented as I described...
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > "Craig McIlwee" <craig.mcil...@openroadsconsulting.com>
> > > > > > 08/02/2010 03:06 PM
> > > > > > Please respond to
> > > > > > users@wicket.apache.org
> > > > > >
> > > > > >
> > > > > > To
> > > > > > users@wicket.apache.org
> > > > > > cc
> > > > > >
> > > > > > Subject
> > > > > > Re: Encrypt Form Fields Using JS
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Why not use a password field to keep the value hidden and SSL to
> > > make
> > > > > sure
> > > > > > there are no man in the middle attacks.  Seems like you are
> making
> > > it
> > > > > too
> > > > > > hard?
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: mzem...@osc.state.ny.us
> > > > > > To:
> > > > > > users@wicket.apache.org
> > > > > > Sent: Mon, 02 Aug 2010 15:00:55 -0400
> > > > > > Subject:
> > > > > > Encrypt Form Fields Using JS
> > > > > >
> > > > > >
> > > > > >> Problem: Encrypt sensitive form fields (ie ssn) on client
> > > > (javascript)
> > > > > >>
> > > > > >> Solution:  Create behavior which fires javascript to hash field
> > > value
> > > > > > and
> > > > > >> replace original value (###-##-####)
> > > > > >>
> > > > > >> This sounds simple enough, but since the length of the hashed
> > > string
> > > > > > will
> > > > > >> be considerably longer than the original string, validations on
> > > this
> > > > > > field
> > > > > >> (ssn must be nine digits) will fail.
> > > > > >>
> > > > > >> I've considered placing the hashed value into a hidden field,
> but
> > > > then
> > > > > > the
> > > > > >> unencrypted value will be posted and the hashing accomplishes
> > > > nothing.
> > > > > > If
> > > > > >> I clear out the original value I lose server-side validations.
> > > Anyone
> > > > > >> have any ideas of the best way to accomplish this?
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >> Notice: This communication, including any attachments, is
> > intended
> > > > > > solely
> > > > > >> for the use of the individual or entity to which it is
> addressed.
> > > > This
> > > > > >> communication may contain information that is protected from
> > > > disclosure
> > > > > >> under State and/or Federal law. Please notify the sender
> > > immediately
> > > > if
> > > > > >> you have received this communication in error and delete this
> > email
> > > > > from
> > > > > >
> > > > > >> your system. If you are not the intended recipient, you are
> > > requested
> > > > > > not
> > > > > >> to disclose, copy, distribute or take any action in reliance on
> > the
> > > > > >> contents of this information.
> > > > > >
> > > > > >
> > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> > > > > > For additional commands, e-mail: users-h...@wicket.apache.org
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Notice: This communication, including any attachments, is
> intended
> > > > > solely
> > > > > > for the use of the individual or entity to which it is
> addressed.
> > > This
> > > > > > communication may contain information that is protected from
> > > > disclosure
> > > > > > under State and/or Federal law. Please notify the sender
> > immediately
> > > > if
> > > > > > you have received this communication in error and delete this
> > email
> > > > from
> > > > > > your system. If you are not the intended recipient, you are
> > > requested
> > > > > not
> > > > > > to disclose, copy, distribute or take any action in reliance on
> > the
> > > > > > contents of this information.
> > > > >
> > > > >
> > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> > > > > For additional commands, e-mail: users-h...@wicket.apache.org
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Notice: This communication, including any attachments, is intended
> > > > solely
> > > > > for the use of the individual or entity to which it is addressed.
> > This
> > > > > communication may contain information that is protected from
> > > disclosure
> > > > > under State and/or Federal law. Please notify the sender
> immediately
> > > if
> > > > > you have received this communication in error and delete this
> email
> > > from
> > > > > your system. If you are not the intended recipient, you are
> > requested
> > > > not
> > > > > to disclose, copy, distribute or take any action in reliance on
> the
> > > > > contents of this information.
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Notice: This communication, including any attachments, is intended
> > > solely
> > > > for the use of the individual or entity to which it is addressed.
> This
> > > > communication may contain information that is protected from
> > disclosure
> > > > under State and/or Federal law. Please notify the sender immediately
> > if
> > > > you have received this communication in error and delete this email
> > from
> > > > your system. If you are not the intended recipient, you are
> requested
> > > not
> > > > to disclose, copy, distribute or take any action in reliance on the
> > > > contents of this information.
> > >
> > >
> > >
> > >
> > >
> > > Notice: This communication, including any attachments, is intended
> > solely
> > > for the use of the individual or entity to which it is addressed. This
> > > communication may contain information that is protected from
> disclosure
> > > under State and/or Federal law. Please notify the sender immediately
> if
> > > you have received this communication in error and delete this email
> from
> > > your system. If you are not the intended recipient, you are requested
> > not
> > > to disclose, copy, distribute or take any action in reliance on the
> > > contents of this information.
> > >
> >
> >
> >
> >
> >
> > Notice: This communication, including any attachments, is intended
> solely
> > for the use of the individual or entity to which it is addressed. This
> > communication may contain information that is protected from disclosure
> > under State and/or Federal law. Please notify the sender immediately if
> > you have received this communication in error and delete this email from
> > your system. If you are not the intended recipient, you are requested
> not
> > to disclose, copy, distribute or take any action in reliance on the
> > contents of this information.
> >
>
>
>
>
>
> Notice: This communication, including any attachments, is intended solely
> for the use of the individual or entity to which it is addressed. This
> communication may contain information that is protected from disclosure
> under State and/or Federal law. Please notify the sender immediately if
> you have received this communication in error and delete this email from
> your system. If you are not the intended recipient, you are requested not
> to disclose, copy, distribute or take any action in reliance on the
> contents of this information.
>

Reply via email to