1

Is there any way that i can (securely, base64 ruled out) encrypt data in javascript without using encryption keys. I know its unlikely, because my encryption engine would be available, but does anyone know of any method that can be used

EDIT:

Upon request, i am trying to hide data that a user entered into a textbox before it gets submitted. The data is completely random and the user will never be asked to write it again. Its not a password, its essentially like a post

asked Jan 8, 2013 at 16:29
7
  • 2
    Once JavaScript code hits the client, it can be read. So even if you encrypt it, I can see that code and decrypt it myself. Commented Jan 8, 2013 at 16:31
  • Generally not possible. But depending on your scenario there might be something you can do. For example if you want to encrypt user password for authentication, then it is enough to hash it. And revealing hashing algorithm means nothing, because of the way hashing functions work. Commented Jan 8, 2013 at 16:33
  • Are you talking about captcha? Then you should send an image with a random database ID. I'm not sure where's the problem. Maybe you should explain it more, because you might not have to use any encryption at all. Commented Jan 8, 2013 at 16:54
  • No. The user posts something random that doesn't exist in a database Commented Jan 8, 2013 at 16:58
  • 1
    OK, if it is essentially like a post, then why is security an issue here? You have to give us more details. Commented Jan 8, 2013 at 16:59

3 Answers 3

2

No.

You need keys for encryption to be secure.

If you don't have keys then either nobody can unlock it or everybody can.

answered Jan 8, 2013 at 16:31
Sign up to request clarification or add additional context in comments.

4 Comments

Thought so. I'll find a way to use encryption keys
Most of the time, if you want to do encryption in JS, you're solving the wrong problem. What are you actually trying to achieve?
I'm essentially trying to supplement SSL (because i will have considerable traffic, and i don't want to buy a cert). I just want the data to be secured before it is sent over the server
A cert costs something like 10ドル a year. Use SSL. There is a reason it is the industry standard.
1

I think it would be more helpful if you explained what you were trying to accomplish. What are you trying to protect? Who are you trying to protect it from? Where are you sending the data?

If you are trying to hide something from the client, encrypting it on the clients machine means you would never be truly secure.

If you are trying to have the client send encrypted data to a server of yours, why not just use SSL? This is far easier.

answered Jan 8, 2013 at 16:35

Comments

1

Why not HTTPS?

What's the source of the data and where is it going? What's the difficulty of using keys? Again, why not HTTPS?

NEVER trust client-side data! ALWAYS presume can be deleted anytime and user can access and edit it anytime.

answered Jan 8, 2013 at 16:51

3 Comments

The difficulty of using keys is that the data needs to be decrypted by the client browser as, well as encrypted. People will be able to see the key. Also, HTTPS certs are expensive $$$
hmm got it. So you don't wanna encrypt, you wanna decrypt data received from server. Dude, security is something we must handle seriously. It's secure or it's not secure, it can't be "secure enough". If you wanna secure it during Internet traffic, you gotta secure it on client-side too. If you send it encrypted but also send a key to decrypt it, and this key isn't secured, all this work will be for nothing.
Any1 wanting to hack your data will just have to get that key (or the decrypt algoritm) to decrypt it. But now, if HTTPS is too expensive to be worth it, then encrypting is too expensive to be worth it. And false security is more expensive than real security.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.