Encrypting Password

Question

I want to encrypt password in JQuery and decrypt it in servlets. Please tell me which algorithm should I use and how to implement this thing.

Answer 1

In terms of how to implement it, things have moved on since the question came up and it looks like CryptoJS should make it easy:

http://code.google.com/p/crypto-js/

NOTE - I haven't used it yet!

Answer 2

A simple spot of Googling would have got you the answer. The available algorithms seem to be Blowfish, SHA and Rc4. If you want decryption blowfish would be the way to go. For smaller datasets you can use rc4.

For a practical example look at how Yahoo does its logins. The login form has a hidden field which acts as the salt called ".challenge", this is embedded in the hash as follows: fullhash=MD5(MD5(passwd)+challenge)

Answer 3

You want to use HMAC.

Basically, you send 2 salts to the client. You store in your database

md5(salt + pwd)

you send a unique salt2 and the db salt to the end user, who returns

md5(salt2 + md5(salt + pwd))

and then you compare to that same operation server-side.

As long as you vary the salt sent and don't accept old ones, it is about as secure as you're going to get without SSL. You definitely don't want to try to use AES or RSA anything similar.

If you don't like md5, use any other hashing algorithm of your choice.

Answer 4

This is a classic encryption problem. The one-way hashes described by whatnick will work but there are security issues. Notably an attacker can perform a replay attack as the hash cannot be salted, meaning the user can only ever send the one hash that corresponds to the hast stored in the database. In other words, this is almost the same thing as sending the password in plain text.

The only way to do this properly is with a non-symmetric public key cypher such as RSA. I have seen a Javascript implementation here. I would argue that this is more complicated than necessary and that just doing a secure login via SSL is most probably the safest and easiest thing in the long run.