4

I have an application that has frontend as HTML, Javascript, and backend as Java, I need to use RSA to send passwords and sensitive stuff. I'm using JSEncrpt in javascript and Bouncy castle in java. I need to know how can I manage keys. If I create keys dynamically in javascript how can I send private key to my backend or vice-versa. My javascript code is visible to user storing private key in javascript is not an option.

Javascript code:

var text = "Hello World";
var privkey="MIICdQIB..........";
var pubkey="MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvFZQtGLPQKV0h....";

var encrypt = new JSEncrypt();
encrypt.setPublicKey(pubkey);
var ciphertext = encrypt.encrypt(text);
console.log("ciphertext  : " + base64ToHex(ciphertext));

var decrypt = new JSEncrypt();
decrypt.setPrivateKey(privkey);
var plaintext = decrypt.decrypt(hexToBase64(cipher));
console.log("plaintext  : " + plaintext);

and for java code see example on : http://www.mysamplecode.com/2011/08/java-rsa-encrypt-string-using-bouncy.html

Praveen Kumar
  • 51
  • 3
  • _If I create keys dynamically in javascript how can I send private key to my backend or vice-versa_ Do not send private keys along network. Why do not you just use an SSL encrypted channel to protect the data? – pedrofb Jul 24 '18 at 07:02
  • I need double encryption, though I'm using https still need two-way communication through RSA algorithm. – Praveen Kumar Jul 24 '18 at 07:29
  • ok, if you need to encrypt in both directions, each part (frontend, backend) will need a pair of RSA keys. In no case is it necessary to send the private key to the other party. Messages are encrypted with the receiver's public key and decrypted with the private. To store safely the generated key pair at client side you will need to use the native WebCryptographyApi. This library allows to generate and use keys without exposing the keying material – pedrofb Jul 24 '18 at 07:44
  • Thank you will try using that. – Praveen Kumar Jul 24 '18 at 07:51

1 Answers1

0

and for java code see example on : http://www.mysamplecode.com/2011/08/java-rsa-encrypt-string-using-bouncy.html

Please note this example is wrong from usability perspective. RSA itself is inteded to encrypt small piece of information (such as keys for symmetric encryption), not any longer/larger data. Have a look at hybrid cryptosystem. And when using older PKCS1.5 padding the encrypted data need to have high entropy. So - do not use RSA with data themselves, rather use hybrid cryptosystem (most of the high level libraries will do that).

I need double encryption

It adds up complexity, but not necessary security.

You'd need encrypt data outside TLS (https) only when you intend to store or resend the data encrypted. Maybe you do, just we don't see any justification.

The issue is - RSA is intended ensure integrity and confidentiality of data. TLS (based on RSA or eliptic curves) as well protects against the MIM (man in the middle) attack. If you randomly generate the keys without checking possibility to validate the identity (using certificate authority), the MIM (behind TLS) is feasible.

I need to know how can I manage keys. If I create keys dynamically in javascript how can I send private key to my backend or vice-versa.

In asymmetric encryption (RSA) the sender needs only target's public key to encrypt data. And to have security complete, the target needs sender's public key to validate signature (if the message is signed)

Basically you can generate a random (symmetric) encryption key and encrypt the key with RSA. Then the client could send the IV (salt, used with symmetric encryption), RSA encrypted symmetric key, encrypted data (with the symmetric encryption key) and MAC (message authentication code - hash and signature) to other side.

gusto2
  • 8,500
  • 2
  • 14
  • 26