www.webdeveloper.com
Results 1 to 6 of 6

Thread: How can we encrypt the Query String using MD5 algorithm at client side?

  1. #1
    Join Date
    Jul 2012
    Posts
    3

    How can we encrypt the Query String using MD5 algorithm at client side?

    I am using spring frame work. currenty we are encrypting the query string by using an algorithm which is in JS file. But user is able to access the js file, so he is able to decrypt and encrypt the text. How to restrict it?

    is there any other way to encrypt the query string without exposing the algorithm in js file?

    I need to encrypt each formfield and send it to server...using proxy tools also user/hacker should not be able to decrypt or pass some malicious text.
    Last edited by rockjava; 07-04-2012 at 08:33 AM.

  2. #2
    Join Date
    Jul 2012
    Posts
    3
    to be more specific...

    Normal URL: http://localhost:8080/myWebApp/?user...irstname=first

    After Encoding Query string URL: http://localhost:8080/myWebApp/?x=Yw...-6S6FwvocqYPuA

    it should not be understandable by the user.

  3. #3
    Join Date
    Mar 2012
    Location
    Saint-Petersburg, Russia
    Posts
    97
    There is no any way to encrypt something on client side without danger that encryption method could be reverse-engineered.

    (ok, there is one method surely - usage of hardware keys, but for most types of web-applications it is obviously unusable)

    You've mentioned MD5 in the title of the topic, but it is hash, not encryption which could be decrypted. If you need not decryption (for example for storing passwords) you can use MD5 generation in your javascript almost without any fears.

    But if you want data to be encrypted on client and decrypted on server, it would not do. One of usual ways to deal with it is using https (ssl) access to your resource instead of http.

    However, you'd better at first try to explain (for yourself and for other peoples) the following questions considering security:
    1) Which kind of data you are sending to server.
    2) Which kind of attacks from third persons or cheating behavior of your users you expect, regarding different parts of data mentioned in answer to first question.
    3) What size of profit could potential hacker gain from breaking your security.

    I know that sometimes (often) people are trying to protect themselves from attacks which are unlikely to happen and forget some more simple issues which render planned protection measures useless.

    You may also look at protection schemes used by online banking resources or billing systems. There are different variants with sending confirmation codes, passwords or encryption keys by e-mail or SMS, etc. Anyway it all depends on answers to mentioned 3 questions...

  4. #4
    Join Date
    Jul 2012
    Posts
    3

    Encrypted URL Query String

    In Wicket framework we can do something as follows

    Normal URL:

    http://localhost:8080/WicketExamples...urlQueryPanel:

    Encrypted URL:

    http://localhost:8080/WicketExamples...QPpvT9MHF2-6S6
    FwvocqYPuA

    is there any way to do the same in Spring Framework?

  5. #5
    Join Date
    Mar 2012
    Location
    Saint-Petersburg, Russia
    Posts
    97
    That is different. You can even use dedicated library:
    http://forum.springsource.org/showth...tion-in-Spring

  6. #6
    Join Date
    Jul 2010
    Location
    /ramdisk/
    Posts
    865
    MD5 is long gone and broken, its not recommended for new development.

    Lets say part of the query means selecting an integer between 1 and 100000; you would have to crack it server-side. It boils down to this: if the client (browser) is going to understand the application/form/web page then it will NEED to read it in cleartext; obfuscated is OK, but there are no exceptions (aside from a hardware key mentioned above, which can be reversed/broken/and involves a trusted relationship with the manufacturer.

    What you could do is this: provide a form with the keys/names as hashes, then on the server side you can maintain a Map<Hash, ClearTextName> and rejoin them and finish processing the query without ever showing the user what the real key means. You will have serious issues trying to make compound things inside of a form, but on the flip side you can make compound preset GET links very easily (page=home&subpage=intro).

    Is this a good idea? I don't think so, it adds overhead and complexity to an otherwise perfectly OK system (in theory).
    I use (, ; : -) as I please- instead of learning the English language specification: I decided to learn Scheme and Java;

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles