RSA Encrypt/Decrypt in TypeScript

Question

I'm using Angular 4 to make the front end of my application. I have implemented OAuth2 on my backend (developed with Spring in Java), so people using my application must be authenticated.

The thing is that we can see clearly the passwords from the backend server logs and it could be caught by a MITM until I add a SSL.

That's why I decided to encrypt the sent password with RSA. My backend is already ready, but I don't find any up-to-date libraries that provide a decent API for encrypt/decrypt from a RSA key-pair.

Also seen crypto module, but no longer usable on ECMAS6. The crypto-js one only provides AES and some hashing such as MD5/SHA.

Answer 1

Finally found a way, after installed some.

npm install buffer
npm install crypto-browserify

Then use it

import {config} from "../app.config";
import {Buffer} from 'buffer/';
import * as crypto from "crypto-browserify";

export class RsaService {
  private privateKey: string;
  private publicKey: string;
  private enabled: boolean;

  constructor() {
    this.privateKey = config.authentication.rsa.privateKey;
    this.publicKey = config.authentication.rsa.publicKey;
    this.enabled = config.authentication.rsa.enabled;
  }

  isEnabled(): boolean {
    return this.enabled;
  }

  encrypt(plaintext: string): string {
    if (!this.enabled)
      return plaintext;

    let buffer = new Buffer(plaintext);
    let encrypted = crypto.privateEncrypt(this.privateKey, buffer);

    return encrypted.toString('base64');
  }

  decrypt(cypher: string): string {
    if (!this.enabled)
      return cypher;

    let buffer = Buffer.from(cypher, 'base64');
    let plaintext = crypto.publicDecrypt(this.publicKey, buffer);

    return plaintext.toString('utf8')
  }
}

Answer 2

Depending on where those network logs have been captured it is really possible to get back all the http pipe line in a pure text like, once the SSL works on a specific communication layer it's just listen the stream on a higher layer and boom, it's there, this is a answer for some comments above.

About the architecture itself, make completely sense once you're worried to protect your data from unwanted eyes, so in a theoretical way I would suggest some approaches:

1) create your own encryption method and use it on both sides. A simple matrix multiplication could be useful, sound insane I know, but if it's a non critical flow I don't see any problem with that

2) use cryto-js on both sides as well, like, calling a javascript code portion from your java code to (de)encrypt the password

3) use a external authentication/authorization entity, like google, twitter, facebook, or a more enterprise solution like IBM BlueID, Azure or AWS or even your own domain controller for that, or even further you can use a external auth entity with your own domain controller, it's called Federation

I mean, there are several options to get it solved, since a very simple like making your own solution until a huge structure like, not sure where you are between those two points, but it's cool be aware with sensitive data.