Answer the question
In order to leave comments, you need to log in
N
N
novichkovv2021-04-24 08:27:24
novichkovv, 2021-04-24 08:27:24
How to pass passphrase from js client to php server?
I need to securely transfer a secret phrase from the browser to the server (and vice versa, it doesn’t matter where the phrase is generated, it is important to save it both there and there. I’m looking towards asymmetric encryption, but I can’t find any ordered information on the implementation. And how I understand that you can't reinvent the wheel here.In general, I'll formulate the task something like this: a key pair is generated on the js
client
, the public key is transmitted in the first message to the server.The
server encrypts the secret string using the public key and sends it and the public key in response to the client.Client
decrypts the secret string with the private key
Don't ask why I need this, the end goal is much broader, but that's exactly what I need at the moment.
I used JSEncrypt to create a code that allows you to encrypt a string with a public key and decrypt it with a private key. But it is not clear what to do on the server side, how to decrypt the string using the public key, and why the person who intercepted the messages cannot do the same.
There is almost no knowledge on this issue, ideally, if you suggest libraries with a ready-made implementation, well, or a quality article
Here is the js code
const keySize = 1024;
let crypt = new JSEncrypt({default_key_size: keySize});
let publicKey = crypt.getPublicKey()
let privateKey = crypt.getPrivateKey();
function encryptData(plaintext){ //Encrypts argument with Public Key
let encrypt = new JSEncrypt();
encrypt.setPublicKey(publicKey);
return encrypt.encrypt(plaintext);
}
let encryptedString = encryptData('some secret phrase');
console.log(encryptedString);
function decryptData(encryptedString){ //Decrypts argument with Private Key
let encrypt = new JSEncrypt();
encrypt.setPrivateKey(privateKey);
return encrypt.decrypt(encryptedString);
}
console.log(decryptData(encryptedString)); 3 answer(s)
@novichkovv
Decrypt private. The public key is needed for encryption, the private key for decryption. The private key is not transmitted anywhere, the public key can be transferred to whomever you want.
The server generates a pair of keys, keeps the private one, and gives the public one to the client. The client also generates a pair of keys, keeps the private one, and sends the public one to the server. Next, using the public key received from the server, the client encrypts the message and sends it to the server, where the server calmly decrypts the message using its private key.
If SSL (https) is configured for the site, then all these manipulations are not needed.
@djQuery
@romicohen
as far as I understand, this is the key issue in all this :)
Well, in theory, SSL (https) is needed for this, so that such messages are not intercepted.
Secondly, if I were you, I would look towards the implementation of OAuth2 - as far as I understand, this protocol solves a problem similar to yours. There are many tutorials on it with pictures, this is another advantage
of it :) Thirdly, look in the direction of TWO pairs of keys. Those. and on the client side open-closed, and on the server the same. There are also descriptions of this scheme on the Internet (well, you just need to write a lot here).
Hope it helps :)
P
profesor08, 2021-04-24 @novichkovv
But it is not clear what to do on the server side, how to decrypt using the public key
Decrypt private. The public key is needed for encryption, the private key for decryption. The private key is not transmitted anywhere, the public key can be transferred to whomever you want.
The server generates a pair of keys, keeps the private one, and gives the public one to the client. The client also generates a pair of keys, keeps the private one, and sends the public one to the server. Next, using the public key received from the server, the client encrypts the message and sends it to the server, where the server calmly decrypts the message using its private key.
If SSL (https) is configured for the site, then all these manipulations are not needed.
V
Vladimir, 2021-04-24 @djQuery
How it is done in telegram:
I put the letter in an iron box and lock it.
Sending a box to a friend.
A friend puts his lock on the box and sends it back to me .
I remove my lock and send it to a friend
. The friend successfully opens the box with his key.
As a result: on shipment, the box was always locked, the keys were always with us and were not transferred to anyone.
R
Romi, 2021-04-24 @romicohen
...and why the person who intercepted the messages cannot do the same
as far as I understand, this is the key issue in all this :)
Well, in theory, SSL (https) is needed for this, so that such messages are not intercepted.
Secondly, if I were you, I would look towards the implementation of OAuth2 - as far as I understand, this protocol solves a problem similar to yours. There are many tutorials on it with pictures, this is another advantage
of it :) Thirdly, look in the direction of TWO pairs of keys. Those. and on the client side open-closed, and on the server the same. There are also descriptions of this scheme on the Internet (well, you just need to write a lot here).
Hope it helps :)
Similar questions
M
S
S
T
D
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question