Next »

How Does Password Encryption Work well? Illustration With a Typical Example

blog post

How Does Password Encryption Work well? Illustration With a Typical Example
Let's start from thinking about which all places can we actually need to put encryption into action and just how do we implement them? Except the wide ranging encryption done at the Database end, there's 2 popular approaches of implementing encryption - One, which is done at the client side (normally the one we will mainly mention in this article) and Two, which can be done at the server side (i.e., the request carries the specific password and at the server it's encrypted to become processed further). Bcrypt Hash Generator

The previous of the two is obviously advisable to have as it eliminates the chance of the request being intercepted in the center before it actually reaches the web/app server. Well... you can say that the data packaged in a HTTP POST request is automatically encrypted in case of HTTPS, but an extra level of encryption will only improve the security of the web application. Obviously, the implementation should not be too much time consuming otherwise the advantages of having a more secure application will probably be ruled over through the frustration it might provoke its end-users.

Though, this will depend upon the actual implementation, but possibly the preferred choice (in highly secure systems) is the actual password shouldn't be exposed anywhere in system, this means the encrypted password saved in DB is fetched and probably not decrypted to actual password that your end-user uses, but instead a few other form which is matched together with the decrypted one at the middle-tier to authenticate the user.

The entered password is first encrypted at the client side while using Public Key ('public key1' inside the above diagram) and then the encrypted password reaches the App Server where it's decrypted a corresponding Private Key ('private key1' from the above diagram). App Server also fetches the password kept in the database, which can need to be decrypted using another Private Key ('private key2' from the above diagram). Now, the implementation from the algorithms and the generation from the keys should be in ways that both the decrypted passwords 'decryptedpwd1' and 'decryptedpwd2' should match equal for the valid cases and they should be unequal otherwise. Decrypt Bcrypt Online

Just how can the encryption be implemented? Will JavaScript/VBScript suffice?

Next question arises, exactly how should we do it effectively and also at the same time without consuming enough time? The fastest possible way could possibly be to have some mechanism in place so that the encryption can take place at the client side only. Okay, just how can the encryption happen at the client side? When we put both the encryption also definition along with the public key in the JavaScript (or VBScript) code and the other can easily see everything simply by viewing the page source. Did you think that making the JavaScript external can solve your complaint? As in you only declare the JS file therefore and not list down the contents. Well... if you did think this, you got to think again. A external JS file is every bit exposed for viewing with the clients as you can simply type the path (if the path is absolute Or maybe append the relative way to the roor URL) inside the browser window and the whole JS will be there that you should be viewed. We'll see examples below. Evidently, the encryption won't really carry any benefit here.

How else will we do it at the client side? Just how would Applets be?

Yeah... congratulations, you got a better strategy for handling the situation. As we know that applets are also downloaded for the client machine and so are executed at client machine itself, therefore we can now make use of the Java programming language and its security mechanism to have the encryption implemented in a far better manner. What's probably a more appealing about this approach is you can NOT see the source with the applet class(es) directly. They may be normally shipped in JAR bundles giving an extra layer of security. It is possible to claim that since the JARs are downloaded and the .class file in the applet class runs within the vicinity of the client JVM and so the bytecodes would certainly be available which could then be de-compiled to take a look at the source. Yeah, you're are right that this bytecodes are available at the client machine and it can be decompiled. But, what makes this approach better than the JavaScript approach could be understood by following points:

 Bytecode tempering is automatically detected: if the intruder somehow gets their hands on the bytecodes and changes that, the changed bytecode will throw the best while running whereas these changes in the JavaScript (or VBSCript) source defintely won't be detected.
 Security Mechanism of Java is more versatile: what we brought up in the above point can be an integral part of the Java Security mechanism, however it is not only limited to this. The correct answer is versatile and layered. No such benefit is accessible with JavaScript (or VBScript).
 JVM comes with a far more consistent environment: bytecodes run within a Java Virtual Machine which obviously provides a far more consistent and stable environment as opposed to environment in which JavaScript (or VBSCript) code runs.
 Impl of different public/private keys for every new request: you may be aware of the Secure Key concept which forms included in the password on many systems. The actual idea in such implementations is usually to have part of the password which ensures you keep on changing on a continuous basis and so making it virtually impossible for that attackers to reckon that. Similarly, if we want to intensify the encryption strength to a even higher level, we could put in place different public/private key combinations for each new request.


Posted Sep 07, 2015 at 8:05am