jCryption 3.1.0

javascript form encryption using openssl

Daniel Griesser

Security Update 3.0.1

I've released jCryption 3.0.1 with a critical security bugfix for the PHP example.
Everyone who uses jCryption and just copy/pasted the example provided in the repo should immediately update their code. The JS just received some minor changes.
Credits goes to David Tomaschik of the Google Security Team for pointing that out.

Preface (tl;dr)

I started jCryption in 2009 as a jQuery plugin for encrypting form data in javascript mainly because there was no plugin doing exactly that. The idea sending encrypted data from the client to the server was kind of nice so I started the project. The first version was very slow, worked only with PHP and used many self written security libraries _no good idea_! ;)
But the plugin worked and had surprisingly many downloads. So I continued the project and updated jCryption over the years.
The next version of jCryption was much faster and used besides RSA for the key exchange now AES for the encryption which is the main reason it become faster.
But there was still this issue using self written PHP libraries to overcome all requeriemtns I wanted it to have.
The day has come finally I am getting what I always waited for ... jCryption is now fully compatible with OpenSSL using two rock solid javascript libraries CryptoJS 3.1 and JSEncrypt and with that became server technology independent. So lets get started ...

Throng - Webserver Stresstest

Examples

So here are a few examples to show exactly what jCryption does and does not!

Simple login form without jCryption

Simple login with jCryption

What do you have to do

Easy on the client ... some work on the server.
You can find a sample PHP implementation in the repo.

Include jQuery 1.6.1+ and jCryption 3.0.1


<script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
<script type="text/javascript" src="jquery.jcryption.3.0.1.js"></script>
                

And than call jCryption on your form

$(function() {
    $("form").jCryption();
});

thats it ... move on to the server ...
Generate public and private key with OpenSSL (also described here)
Keep in mind, you only have to generate the public and private key once

:~$ openssl genrsa -out rsa_1024_priv.pem 1024
:~$ openssl rsa -pubout -in rsa_1024_priv.pem -out rsa_1024_pub.pem

If you want it more secure ... it also works with a 2048 or 4096 Bit key
Next are the OpenSSL calls you need on the server to work in sync with the client.
But before that ... here is a general description what exactly happends.

How does this work

  1. client requests RSA public key from server
  2. client encrypts a randomly generated key with the RSA public key
  3. server decrypts key with the RSA private key and stores it in the session
  4. server encrypts the decrypted key with AES and sends it back to the client
  5. client decrypts it with AES, if the key matches the client is in sync with the server and is ready to go
  6. everything else is encrypted using AES

OpenSSL

You can find the complete documentation of OpenSSL here for AES and here for RSA.

  1. Decrypting the key the client sent with RSA.
    Input: base64 encoded key
    Output: unencrypted key from client
    :~$ openssl rsautl -decrypt -inkey rsa_1024_priv.pem
  2. Send the client a challenge to solve. Encrypt the sent key with encrypted key and send it back to the client.
    Input: unencrypted key from client
    Output: encrypted key sent to the client
    :~$ openssl enc -aes-256-cbc -pass pass:'key' -a -e
  3. The server has to decrypt the data sent from the client with AES to work with the data.
    Input: encrypted data from client
    Output: unencrypted data
    :~$ openssl enc -aes-256-cbc -pass pass:'key' -d

Comments

Fork me on GitHub