FAQ
How does jCryption work?
jCryption first serializes the form, converts the string into hexadecimal values which is required to encrypt it. When the keypair was generated on the server, the script receives it, encrypts the string with the public key and sends it to the sever where the string will be decrypted. When this is done you have your original serialized string back which is equal to a normal form submit (GET or POST).
So jCryption encrypts on the client with javascript and decrypts on the server with PHP.
Why do you generate the keypair on every request?
Simple answer … security. The public key is sent to the client, the private key is saved in the session. So each keypair is only one time valid and only for the user which has the right server session. If one of these parameters is not fulfilled, the encrypted string will be empty.
And because of the fact, that every keypair is only one time valid, there can’t be any plain/cyphertext/cycling attacks to the server.
I’m also thinking about releasing a PHP script which generates many huge prime numbers and stores them into an array, because generating huge primes isn’t that fast.
How secure is jCryption?
Well that’s not easy to say, the RSA public key encryption algorithm is one of the strongest and most secure in the world. It has survived over 20 years although it has some disadvantages/weaknesses. For example if you use a keylength <512bit. Like I mentioned before, everytime you submit a form the keypair will be newly generated, because of this fact jCryption, with it’s functions, is immune to some attacks. But I think in most cases it should be enough using a 512bit key because it’s not that easy to factorize a 512bit prime. But you can adjust the security level of jCryption very easy in PHP (see documentation page). But remeber the higher the security, the longer it takes to generate the keypair. Although jCryption offers some nice ways to bypass the waiting time of the key generation (see the full featured example).
What are your future plans on extending jCryption?
I currently don’t know yet. I first wanted to see if there is a need for such a plugin, but besides that, I am trying to improve performance and security. If you have any ideas what I can do to improve jCryption please contanct me.
What is with file uploads?
Currently jCryption does not support the encryption of uploaded files because I currently don’t know any way of getting access to data of a file with javascript. But I think it would be way too slow to encrypt large files with javascript.
Why should I use jCryption instead of SSL?
In my opinion jCryption is much easier to install and configure. Although I don’t think that jCryption is a replacement for SSL. It could be a nice addtion for your contact form or login page to simply make it more secure. If you need highest security you have to use SSL, because jCryption offers no way of authentication.
What if the client has disabled javascript?
The form will be sent unencrypted.
What version of PHP do I need?
You need at least PHP 4.0.4, because in this version libbcmath is included. You can still try it with older versions but you need the libbcmath libary for big number calculations.
August 15th, 2010
uploaded everything on the server and tried to send me an email. but the status circle runs endless and will not send the form. the end of my “main.php” looks like this:
August 15th, 2010
looks like cant post php code here. so again:
parse_str($var,$result);
QMARK>
php echo “decrypted POST”; mail(“ralph.haering@gmail.com”,”Subject”, print_r($result,true));
August 15th, 2010
“uploades everything” means, uploaded the original jCryption folder. the main.php I’ve changes is the one in Example2
August 3rd, 2010
Nice jquery plugin. I actually wrote something similar on the php side and then found this. I was using GMP to handle the big numbers though… I think mine is quicker on on key generations than your BC math. *shrugs*
Something else I might suggest is to generate a hash lookup table to cut back on key generation time but it might not be something you want to do. Looks like the getPrime(…) function picks a random number and finds the next prime… I noticed you choose the Fermat prime for public key E.
What I am wondering is if you could pick out 100 keys a day and hash them into storage, then you could have a lookup table with little complexity and not run the risk of over using the same keys. After a month’s time you would have plenty of keys (more to pick randomly from).
It seems that when I cranked the key size up to 1024 it took a very long time to do anything and sometimes it would not return a result (even after 5 minutes). So I may re-write the server side stuff and keep the client end.
All in all, neat little plugin – let me know if you’re interested in the hashing idea I mentioned above, I may go ahead and develop it so that you can cronjob keys to randomly pass out (if you’re worried about over usage we can expire keys as well if you are looking for a one-time keypad approach).
I am using this in a system where content is not sensitive but I need to know who is logged in and keep the password secret from browser to ldap server. The server does not have SSL support (or a certificate that is trusted). Works pretty good for me.
June 30th, 2010
Hi,
I got it working with Java but only problem I have is when I decrypt variable I see two characters appended to my value.
Is this a bug, have anyone seen this problem before.
Please reply.
Regards
June 9th, 2010
This library is just what I was looking for – very simple to integrate. Thanks!
January 16th, 2010
Is there a way to use this with multiple forms on a page? For example, I have a page for a site’s user administration. It lists all the users and each user’s info in a different form. How do I get it to encrypt just the form I need? Here’s some code I’ve used that did not work:
function submitForm(formID)
{
var form = document.getElementById(formID);
formID = “#” + formID;
$(formID).jCryption({
getKeysURL:”utilities/getKey.php”
})
$(“input”).removeAttr(“disabled”);
form.submit();
}
On each form I have a button that calls this function, but it does not work. I’ve also tried putting the document.ready(…) part in the function, too. Neither work. Can you help me get this working, please?
Thanks
January 16th, 2010
Ok, I got it. It works, so I guess it’s right. Luckily, I’m using PHP to create the HTML for my page. I loop through the returned users and write out a line of javascript for each form that will be used to edit the users. Here’s the javascript:
$(document).ready(function()
{
$(“#userForm0″).jCryption( {getKeysURL:”./utilities/getKey.php”} );
$(“#userForm1″).jCryption( {getKeysURL:”./utilities/getKey.php”} );
$(“#addUserForm”).jCryption( {getKeysURL:”./utilities/getKey.php”} );
$(“input”).removeAttr(“disabled”);
});
If that’s not the right way to do it, let me know.
January 17th, 2010
I use JavaScript to check all forms ID names to see if it has the word “encrypt” at the end then it loops through initialising them.
January 12th, 2010
Is it possible to encrypt and decrypt using PHP so that I can encrypt the GET data in links?
For example:
href=”login.php/?username=test_user&pass=keep_me_safe”
href=”login.php/?jCryption=27a786be660d7e104341e…”
January 12th, 2010
No at the moment, jCryption can’t do that. You can make a form with 2 hidden fields and one submit button. Set the method of the form to GET and there you go.
January 12th, 2010
I thought of that. But the GET data is revealed in the source of he page.
Thx anyway.
January 11th, 2010
Hi there.
I’ve tried it and works great, with exception of special characters (like ç, Ç, é, É, ã, Ã, », «, etc..)
Is there any way to solve this?
January 12th, 2010
Are you sure you set the charset of the page to uft-8 ?
January 13th, 2010
Hi again.
In fact, I’m using exactly your example1, without any change, over my Apache install. Your files (index.html and main.php) already set the meta headers as charset as UTF-8. Do I need to set it any elsewhere?
I’ve tried with Firefox and IE8, the result is the same:
E.g.: instead of the char “é”, i’m getting “é”
Thanks in advance.
January 5th, 2010
I don’t see where the question from KC was answered about submitting the form to an email address. How is this done. I don’t see a way in the main.php file. Any help would be much appreciated.
January 7th, 2010
There is no way in HTML to send a form directly to an email address you have to send an email from the server.
That means you have to use the PHP function “mail” in the main.php to send an email.
Example: (at the end of main.php)
………..
echo “decrypted POST”;
mail(“myEmail@google.com”,”Subject”,print_r($result,true));
………..
This will send an email with the complete form data to “myEmail@google.com”.
August 15th, 2010
uploaded everything on the server and tried to send me an email. but the status circle runs endless and will not send the form. the end of my “main.php” looks like this:
parse_str($var,$result);
?>
January 5th, 2010
This is a little hard to explain. Is there anyway of encrypting links or could you develop my idea? This would be excellent in protecting my GET information in my links which I use in my LEMsn (Localised Electronic-Messaging Systems Network) e.g. href=”mail/?read&mes_id=935632″.
Deeper Example (not actual use):
Unencrypted: Login
Encrypted: Login
“jCryption=27a786be660d7e104341e…” = the encrypted data/link printed in “href” using PHP (so the actual link wont be displayed in the source of the page)
then “login.php” would decrypt $_GET['jCryption'] and login in user.
No JavaScript and no forms. The encrypting code would have to be re-written in PHP.
I could possibly do this myself but because my proficiency in JavaScript is not high I lack the ability to identify the encrypting function(s). Maybe you could send me a JavaScript function that will encrypt a string?
Thanks for you time.
November 26th, 2009
I’m a real newbie. How do you send the form info to an email address?
August 16th, 2009
Lovely script you have there! Took a little time to figure out how it was connected (mainly the ajax part calling main.php). I used to have a users password sha1 hashed client side, before sending it to the server, but since i needed to get an ntlm for some users too, and I then had to send the plain text password to the server, I found this sweet script. However it will be used in conjunction with SSL in the end anyway (ntlm hash needed for local lan-party where we uses SSL for intranet website)
If there was something that would have made it easyer for me, it might have been joining the files together, so one would not need to spend too many hours figuring it out (I know, newbie).
August 14th, 2009
In future versions jCryption allow bidirectional comunication between client-server?
August 14th, 2009
yes … I will soon release a small update with some security updates …
After that there will be a new release with some new features … bidirectional communication is one of them …
August 12th, 2009
If you’re not guarding against man-in-the-middle attacks, then what security are you offering, exactly? Do you not realize that any security system is only as strong as its weakest point?
The whole thing seems pointless.
August 12th, 2009
You don’t have to use jCryption if you think it make no sense at all.
When someone is between you and “the internet” you probably will have bigger problems than protecting your form data.
jCryption protects form data against sniffers, in an open wlan for example.
I think it’s much easier just reading the form data than encrypting a RSA encrypted text.
And like I wrote several times before, if you want 100% security use SSL and it’s in the websites owner opinion if jCryption is enough or not.
August 11th, 2009
Despite the MITM attack, this librairy add a severe layer of security compared to plain text password.
It’s not that hard to listen to an internet connection (unprotected wifi for example), but manipulating data while being transfered is much more complicated.
So … thanks a lot for your Daniel
August 7th, 2009
This system vulnerable to man-in-the-middle attacks. An attacker can can return a spoofed result without the javascript encryption part and the user would never know anything is wrong.
August 8th, 2009
That’s true it is vulnerable to MITM attacks, but I mentioned that jCryption at it’s current state offers no way of authentication and that it is no replacement for SSL. jCryption should be an easy to install plugin which offers a base level of security.