Reputation: 5757
How to use asymmetrical encryption to receive data in javascript?
I understand the concept of asymmetrical encryption in the context of the client wanting to send data securely to the server. The server sends a public key to the client that is used to encrypt the data. The server decrypts the message using it's private key. In this context, everything makes sense, since the private key is only accessible by the server.
But what if the client wants to receive data securely? The same concept could apply in the opposite direction (the front end shares the public key and possess the private key), except the private key would be available to anyone, since the source code in javascript is available in the web browser and it would defeat the purpose of encryption...
Surely there is a solution for this. When searching I have not found a clear answer to my question, although many people mentioned HTTPS. I would also like to know why and how does it work and where my knowledge is flawed.
How does a client securely receive data from a server?
Upvotes: 4
Views: 331
Answers (2)
Reputation: 10556
SSL is just another layer of security (at least to some extent). Any CA is not inherently secure. You may want to use PKI along with the usual symmetric algorithms like this (a sample usage), where (depending on the data size - PKI serves to encrypt small data chunks) the public key encrypts preliminarily generated symmetric key (which encrypts some data) on the sender side and the private key on the receiver side decrypts the symmetric key (which on its turn decrypts the data).
Upvotes: 0
Reputation: 7242
As you have already mentioned, HTTPS is the solution here. You have already covered how this works but you are just missing a few key details.
HTTPS use asymmetric encryption to establish the initial encrypted communication. Subsequent communication is actually performed using symmetric encryption as it is more performant and more secure for a smaller key size. So the initial hand shake uses the server's public key to exchange a shared secret key that both the server and client will then use for all communication.
Additionally, the public key used by the server is generally signed by a trusted certificate authority whose key your browser already knows. This allows your web browser to verify the server's public key so that you know that the communication has not been intercepted and altered by an attacker sitting between you and the server. Otherwise an attacker could just intercept all communication and send you a different public key claiming to be the server's public key, and how would you know the difference?
Once the encrypted channel is established, anything the client sends to the server is encrypted, and likewise, anything the server sends to the client is encrypted. The encryption guarantees here ensure both confidentiality and integrity of all communication.
So by using HTTPS, the client is securely receiving data from the server, as well as securely sending data to the server, all without embedding any keys directly into the Javascript code.
Upvotes: 6
Related Questions
- How do I replace all occurrences of a string?
- How do I make the first letter of a string uppercase in JavaScript?
- How can I validate an email address in JavaScript?
- How can I remove a specific item from an array in JavaScript?
- How do I get a timestamp in JavaScript?
- How do I remove a property from a JavaScript object?
- What does "use strict" do in JavaScript, and what is the reasoning behind it?
- How do I include a JavaScript file in another JavaScript file?
- How do JavaScript closures work?
- How to check whether a string contains a substring in JavaScript?