Slightly OT: encryption

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Hi all,

I've reached the limits of my knowledge and was wondering if anyone out
there is better informed.

I'm trying to setup a system of secure encryption for exchanges between
browser and server WITHOUT using SSL. I have hashing (MD5) at both ends and
symmetric encryption (TEA). If anybody knows a SECURE asymmetric encryption
algorithm which works with javascript - do let me know.

I have a reasonably secure logon system - server sends challenge and stores
MD5(challenge+password). Browser sends back MD5(challenge+password).

It occurred that if I could store the password at the browser end, I could
use it as the encryption key for future exchanges. But where to store it?

I could put it in a cookie, but that gets sent in the clear with each

If I put it in a secure cookie or a cookie with an obfusticated path it
wouldn't get sent back, but the browser can't read it either!

Is there anywhere I can store a value using javascript which is readable by
javascript but not normally sent back to the server?

Alternatively, is there any information available in Javascript which is not
normally sent back to the server? (if so I can use this to encrypt the
password before storing it in the cookie)?

(I realise that an XSS vulnerability would expose the password, but I'm not
looking to do serious stuff like credit card details).



Re: Slightly OT: encryption

[Followup-to: comp.lang.php,]
Colin McKinnon wrote:


Quoted text here. Click to load it
readable by

   I guess, two solutions:
  1. Use frameset and stuff the hash to the JavaScript variable in
another (static) frame; and then reuse that.
  2. Use application like interface with XMLHttpRequest and div based
rendering container--so that the page won't get refreshed (so that you
may use the JavaScript variables), but you only paint/render the
rendering container. Last time when I checked Gmail, it used similar


Quoted text here. Click to load it
I'm not

   In the world of 1's and 0's, there is no bulletproof solution. Also,
you may not be in a position to convince the end users about your two
way encryption solution when you're doing in http. (FWIW, IIRC, it is
quite illegal to get credit card details even over SSL on your site.)

  <?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com    Blog: /

Site Timeline