JAVAScript Public Key Encryption

Re: JAVAScript Public Key Encryption

webmaniac wrote on 20 nov 2008 in comp.lang.javas cript:
You cannot secure your webpage with clientside code, methinks.

You could secure some information on a page, but what the heck,
doing that serverside is better and easier.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Re: JAVAScript Public Key Encryption

On Nov 20, 12:29 pm, "Evertjan." <exjxw.hannivo. ..@interxnl.net >
wrote:Hi Evertjan,

Lets say. Someone got registered at the website, the private key got
generated by the Public key algorithm, Now user has to enter that
Public key to access the system. But the public key is so long & we
dont want the user to remember that big a key. Is there a way we can
convert that key into a 4 digit pin. Do you know any algorithm that
converts that key into a 4 digit pin.

Thanks

Re: JAVAScript Public Key Encryption

webmaniac wrote on 20 nov 2008 in comp.lang.javas cript:
What does thet mean "Someone got registered at the website"
Where is that generating code located, on clientside code?
What system? On the server?
var publicKey = [];
publicKey['2641'] = 'ThisisTheVeryL ongKeyBlahBlahB lahBlahBlahBlah etc';

Again, as in your subject line, you ask for encription.

Why would you want to encript a public key anyway, as it is public?

And why would you want to do that clientside?

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Re: JAVAScript Public Key Encryption

webmaniac wrote:As with most security solutions created by non-experts, and most
applications of cryptography created by non-experts, this is neither
secure nor an appropriate use of cryptographic technology.

Using an asymmetric key pair by itself as an authenticator is a lousy
use of the primitive. It's vulnerable to replay attacks, for example.

If the user's secret is a "public" key, then it's not secret, by
definition. So your scheme makes no sense anyway. (Perhaps you meant
that the user supplies the private key.)

It's not clear why you think you need an asymmetric primitive at all.
What are you gaining over a shared secret, or a secret and a verifier
such as a cryptographic hash? Those are much more common
authentication mechanisms.

As Evertjan already pointed out, client-side security is rarely
useful. If the user is verified by the client, the server has no
grounds for trusting the verification.

Can you reduce an asymmetric key to a 4-digit PIN? Sure. You can
reduce it to a 1-digit PIN, too. But it would be stupid to do so.
Decimal PINs are hard for users to remember, they're inconvenient to
enter on systems that don't have numeric keypads, and they have little
entropy (less than 14 bits for a 4-digit decimal PIN). If your system
has any vulnerability that an attacker can exploit to guess PINs (and
I bet it does), then it only takes an average of 5000 attempts to
break it for a given user.

In short: don't do this. Either employ an actual security expert to
secure your site, or purchase a decent off-the-shelf package for it.

--
Michael Wojcik
Micro Focus
Rhetoric & Writing, Michigan State University