How can we encrypt the Query String using MD5 algorithm at client side?
I am using spring frame work. currenty we are encrypting the query string by using an algorithm which is in JS file. But user is able to access the js file, so he is able to decrypt and encrypt the text. How to restrict it?
is there any other way to encrypt the query string without exposing the algorithm in js file?
I need to encrypt each formfield and send it to server...using proxy tools also user/hacker should not be able to decrypt or pass some malicious text.
There is no any way to encrypt something on client side without danger that encryption method could be reverse-engineered.
(ok, there is one method surely - usage of hardware keys, but for most types of web-applications it is obviously unusable)
But if you want data to be encrypted on client and decrypted on server, it would not do. One of usual ways to deal with it is using https (ssl) access to your resource instead of http.
However, you'd better at first try to explain (for yourself and for other peoples) the following questions considering security:
1) Which kind of data you are sending to server.
2) Which kind of attacks from third persons or cheating behavior of your users you expect, regarding different parts of data mentioned in answer to first question.
3) What size of profit could potential hacker gain from breaking your security.
I know that sometimes (often) people are trying to protect themselves from attacks which are unlikely to happen and forget some more simple issues which render planned protection measures useless.
You may also look at protection schemes used by online banking resources or billing systems. There are different variants with sending confirmation codes, passwords or encryption keys by e-mail or SMS, etc. Anyway it all depends on answers to mentioned 3 questions...
MD5 is long gone and broken, its not recommended for new development.
Lets say part of the query means selecting an integer between 1 and 100000; you would have to crack it server-side. It boils down to this: if the client (browser) is going to understand the application/form/web page then it will NEED to read it in cleartext; obfuscated is OK, but there are no exceptions (aside from a hardware key mentioned above, which can be reversed/broken/and involves a trusted relationship with the manufacturer.
What you could do is this: provide a form with the keys/names as hashes, then on the server side you can maintain a Map<Hash, ClearTextName> and rejoin them and finish processing the query without ever showing the user what the real key means. You will have serious issues trying to make compound things inside of a form, but on the flip side you can make compound preset GET links very easily (page=home&subpage=intro).
Is this a good idea? I don't think so, it adds overhead and complexity to an otherwise perfectly OK system (in theory).
I use (, ; : -) as I please- instead of learning the English language specification: I decided to learn Scheme and Java;