The reason why you need encryption at all is probably to protect against a man-in-the-middle. There are scenarios where an attacker is able to sniff at the traffic without being able to change it. This solution would protect against that threat, but it would provide no protection at all against a man-in-the-middle that is able to modify the traffic.
The goal is to prevent login request replay attacks based on network sniffing. Of course, this is not as secure as HTTPS since it would not resist to man-in-the-middle attacks, but it can be sufficient for local networks.
The client-side encryption uses Travis Tridwell's excellent work which is based on JSBN. Travis' web page can also generate the private and public RSA keys (if you are too lazy to use
openssl). The keys are generated in PKCS#1 PEM format. I encrypt
username+password+timeInMs+timezone so that the encrypted content changes at each login.
On the server-side, my Java code read read the PKCS#1 PEM file using Apache JMeter's
PrivateKey pk = (new PrivateKeyReader("myPrivateKeyFile.pem")).getPrivateKey();
Then I decrypt the encrypted content using
byte enc = DatatypeConverter.parseBase64Binary(clientData); Cipher rsa = Cipher.getInstance("RSA"); rsa.init(Cipher.DECRYPT_MODE, pk); byte dec = rsa.doFinal(enc); String out = new String(dec, "UTF8");
Then I check if the client-side timestamp/timezone match the server-side timestamp/timezone. If the delay is less than a few seconds, the login process continues. Otherwise the request is considered a replay attack and the login fails.
If not, nothing prevents a man in the middle from changing the scripts. Any encryption will be useless if the code that has access to the unencrypted data is compromised.
asymmetric public key/ private key is the only way to do this. To protect against MIM attacks the server can hash the public key with the users password, then the user (in the browser) re-computes the hash - if they match then the user can be confident that the public key sent from the server has not been tampered with - this relies on the fact that only the server and the user know the users password.
PS I wanted to write this as a comment as that would be more appropiate than an answer, but I don't have enough points :)
©2020 All rights reserved.