How Does Password Encryption Work well? Illustration With a Typical Example

How Does Password Encryption Work well? Illustration With a Typical Example

Let's begin from thinking about which all places will we actually need to put encryption into action and how do we implement them? Except the wide ranging encryption done with the Database end, there's 2 popular approaches of implementing encryption - One, which is done with the client side (normally the one we will mainly talk about in this article) and Two, which is done at the server side (i.e., the request carries the particular password and at the server it's encrypted to become processed further).

Bcrypt Online Tool

The first kind of the two is obviously best to have as it eliminates the risk of the request being intercepted in the center before it actually reaches the web/app server. Well... you can say that the data packaged in the HTTP POST request is automatically encrypted in the event of HTTPS, but an extra degree of encryption will only enhance the security of the web application. Naturally, the implementation should not be too much time consuming otherwise the main advantages of having a more secure application will likely be ruled over through the frustration it might cause to its end-users.

Though, this will depend upon the actual implementation, but probably the preferred choice (in highly secure systems) is the actual password should not be exposed anywhere in system, which suggests the encrypted password held in DB is fetched and probably not decrypted back to actual password that your end-user uses, but instead another form which is matched together with the decrypted one at the middle-tier to authenticate the person.

The entered password is first encrypted on the client side with all the Public Key ('public key1' in the above diagram) and then the encrypted password reaches the App Server where it's decrypted a corresponding Private Key ('private key1' inside the above diagram). App Server also fetches the password stored in the database, which might need to be decrypted using another Private Key ('private key2' in the above diagram). Now, the implementation with the algorithms and the generation with the keys should be so that both the decrypted passwords 'decryptedpwd1' and 'decryptedpwd2' should match equal for all the valid cases and they also should be unequal otherwise. :link Bcrypt Generator

How do the encryption be implemented? Will JavaScript/VBScript suffice?

Next question arises, exactly how should we do it effectively and at the same time without consuming enough time? The fastest possible way could possibly be to have some mechanism available so that the encryption can occur at the client side only. Okay, so, just how can the encryption happen at the client side? If we put both the encryption also definition and also the public key in the JavaScript (or VBScript) code and another can easily see everything by simply viewing the page source. Did you think that making the JavaScript external can solve your trouble? As in you only declare the JS file if so and not list down the contents. Well... should you did think this, you got to think again. A external JS file is also exposed for viewing with the clients as you can simply type the path (if the path is absolute Or maybe append the relative way to the roor URL) in the browser window so the JS will be there for you to be viewed. We'll see examples below. Evidently, the encryption won't really carry any benefit here.

How else can we do it at the client side? Just how would Applets be?

Yeah... you got a better strategy for handling the situation. As everyone knows that applets are also downloaded to the client machine and therefore are executed at client machine itself, and we all can now make use of the Java programming language and it is security mechanism for having the encryption implemented within a far better manner. What's probably a more appealing about this approach is that you can NOT see the source with the applet class(es) directly. These are normally shipped in JAR bundles that gives an extra layer of security. You can claim that since the JARs are downloaded as well as the .class file with the applet class runs inside vicinity of the client JVM so the bytecodes would certainly be available that may then be de-compiled to have a look at the source. Yeah, you're are right that this bytecodes are available at the client machine and it can be decompiled. But, the thing that makes this approach better than the JavaScript approach could be understood by following points:

 Bytecode tempering is automatically detected: if an intruder somehow gets your hands on the bytecodes and changes that, the changed bytecode will throw very while running whereas these changes in the JavaScript (or VBSCript) source will not detected.

 Security Mechanism of Java is much more versatile: what we talked about in the above point is additionally an integral part of the Java Security mechanism, but it's not only limited to this. It's quite versatile and layered. No such benefit is accessible with JavaScript (or VBScript).

 JVM supplies a far more consistent environment: bytecodes run inside a Java Virtual Machine which obviously provides a far more consistent and stable environment as opposed to environment in which JavaScript (or VBSCript) code runs.

 Impl of public/private keys for every new request: you would probably be aware of the Secure Key concept which forms included in the password on many systems. The root idea in such implementations is usually to have part of the password which keeps on changing with a continuous basis and therefore making it virtually impossible to the attackers to guess that. Similarly, if we want to step-up the encryption strength with an even higher level, we can put in place different public/private key combinations for every new request.