stackoom
  简体   繁体   中英

Web form submission : Client-side encryption and source code not accessible

 原文  2016-05-21 08:10:28       java/ forms/ spring-mvc/ web/ encryption-symmetric

Question

I'm not really experienced in website and specially website security.

Before the problem, let's explain the context :

I have created a web page that is meant to be a platform with an order form X to be filled by some client A with some critical fields Y to be encrypted. Then, the web server would send a mail with X+Y to the seller B, so he can process the order.

What I did :

I created a form with Spring MVC with a controller (in Java) and an HTML view template. This tutorial helped me a bit : https://spring.io/guides/gs/handling-form-submission/ . When A submits X+Y, I encrypt Y (with a symmetric TEA Encryption) in the Controller (So I guess that is obviously server-side) and then send it to the retailer by mail. Then the retailer decrypts it with the same key used for decryption.

The problem :

I would like it to be really secure so I don't want to send Y to the server and then encrypt it, I want to encrypt it on the client side and then send it to the controller.

Is Javascript client-side the only solution to do this ? I would prefer to do it in Java on the client side because what I want is that the encryption is client-side and also the source code containing the encryption algorithm hidden to anyone (which is not the case I guess in HTML and Javascript).

So, for client-side and hidden source code encryption, is it possible to do it with Spring MVC and Java, or with Javascript, or do you have any other suggestion ?

1 answers

solution1
 0  2016-07-20 17:52:29

As indicated, I wouldn't worry about people having access to the encryption code itself, this is the least of your concerns security-wise. There are publicly-available reference implementations and specifications for all common encryption algorithms anyway. A major requirement of modern cryptographic algorithms is that the security lies in the secrecy of the key, not in the secrecy of the algorithm itself. (This was actually an explicit requirement for the Data Encryption Standard and has held for all subsequently-designed algorithms). Relying on the secrecy of the encryption algorithm you're using is a form of security by obscurity, which is a bad practice.

There's a decent discussion of public-key cryptography in JavaScript here: Are there any asymmetric encryption options for JavaScript?

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question HTTP-Request from different source IP (client-side) RMI: How to place server-side & client-side classes to network-accessible location? Client-side locking Sharing java classes between web-service and client-side Client-side framework for web-app with good audio support How to use java on client-side code of Worklight? IOException caught client-side on http error code returns Is there a client-side version of onPlayerJoin? Client side encryption GWT “database” (client-side)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM