Decrypt data only for authorized client - asp.net

I have an asp.net mvc web application with some customers.
A new customer tells me that its data should be crypted on its client and then sent to server (that will store the data into database).
When the client will request the data, they will be read from db and decrypted on client side.
As is, only he will be able to display the correct data.
I found another post, but i need some samples.
Can i make it with javascript?
How it works? javascript read the private key from a certificate on client machine?
How could you encrypt user data so only they can decrypt it?
tks

Public Key Encryption with Javascript:
http://shop-js.sourceforge.net/crypto2.htm
Keep in mind that you can't read local files with javascript alone. You might need to have a Silverlight app running on the client-side as silverlight can read local files. Maybe have your login screen done in Silverlight?
http://www.insidercoding.com/post/2008/08/17/Reading-Local-Files-in-Silverlight.aspx

Related

security : is this method reliable to ensure a HTTP request comes from my app and not from third party

I'm implementing 2FA on my app with phone number verification. As SMS are not free, I really need to ensure that a request to my server comes from my app and not from any third party http request launcher.
For this purpose, I thought about encrypting the http request with a key provided by my server within my app, and send that encrypted request. As my app is a binary (this is not applicable for web of course), I was thinking it would be difficult to see the encrypting method. The process would be the following :
my app asks my server a key
my server generates, stores and returns a random key
app encrypt the whole actual request with a "secret" method, depending on that key (secret = in binary so hardly readable)
app send to server the encrypted request + the key
The server sees if the key exists, and tries to decrypt the request. If it manages to decrypt, it proceed the request, and then remove the key from its storage so no one can use it anymore.
I don't see any to compromise this system, except if someone manage to read from apple/android binary app the encrypting system the app uses.
Do you think this can be a good process ? Do you see any way to compromise this system ? Is reading from a binary file is really difficult ?
I will start with the flaws in your design, from an android perspective, even if you have enabled pro-guard for your app, we can still decompile the app and trace back the api calls
If your server is not using HTTPS - its easy to trace the calls going
back to the backend server by routing through a proxy server like
charles proxy, and analysing the response, even if you are using
https its possible to install ssl certificates to trust the proxy and
get the response. Also by analyzing the outbound requests its
possible to extract the signed key from the app
Its easy to decompile an apk package and opening it in IDEs and
searching for the backend server url by inputting 'api' or
'http','https' keywords on the ide project search window
If you are storing the secrets in shared preferences or storage, it
can be read from the device ,if the attacker has root access to file
system.
then remove the key from its storage so no one can use it anymore.
For the above scenario, i will run the app and once it stores the key , i can change the permission to read only , so even if the app tries to remove it , it wont be deleted
You can use SSL-Pinning, and putting the keys in compiled libraries making it difficult for the attacker to decrypt the key, also you need to make sure that you don't create any other loop holes
You may also share the common key between app and server through alternate channel , like an email . Where the user once he registers for the App gets and Email with a QR code which once scanned will give the server key. The security of this approach is tied to the secure access of the email by authorized user.
You may them follow the standard approach of sending the encrypted request to server to verify the phone number , once done you may delete the data form your app storage.

How to use AEM cryptosupport API at clientside?

I am planning to use cryptosupport API to encryp/decrypt certain cookie keys bearing PCI/PII customer data. I am setting/reading these cookies at both client and server side. At server end (java), I am able to call API and encrypt/decrypt. How do I call the API from clientside (javascript) ? The usage is quite huge at clientside and I dont want to make ajax calls to server.
Is it advisable to use this API with requirement of encrypting cookie data used at both client and server side?
Or is there simpler encryption API for this purpose?
It is a server-side AEM capability only.
And think about it--if you were able to call an API to decrypt a cipher on the client side (JavaScript), what security would it provide? End users could easily also decrypt the cipher and see the secret, so it really would defeat the purpose of having an encrypted secret.
See What encryption algorithm is best for encrypting cookies? which says
Since this question is rather popular, I thought it useful to give
it an update.
Let me emphasise the correct answer as given by AviD to this question:
You should not store any data that needs encrypting in your cookie. Instead, store a good sized (128 bits/16 bytes) random key in
the cookie and store the information you want to keep secure on the
server, identified by the cookie's key.

Encrypting data on application layer, on top of ssl

I am in the process of developing website and an app (iOS and Android) that are supposed to communicate data over https. I don't want the app clients intercepting these server messages, but I'd like to decrypt that data inside the app itelf.
so: after request, encrypt message (say up to 400kb message) (1st encryption), send over https (ssl encryption) (2nd encryption).
upon receive decrypt ssl, on the client level decrypt scrambled message.
(I don't want some bots sniffing my db through https, in disguise of my app).
How do you think I should get around this problem ?
https is ok, I mean, but if someone is sending the requests instead of the app, the whole thing would be useless as I want to protect the DB data.
Any suggestions ? ideas ?
Thanks
All you need here is HTTPS/SSL with client authentication. Adding a second layer of encryption doesn't actually add any security. PKI authentication of the client does.
SSL client authentication will help, as EJP said, but it requires your app to contain an embedded private key, and if someone really wants your data, they can analyze your app and extract that key.
This isn't something you can solve completely: your server cannot reliably distinguish between the real client app, and a fake one designed by someone who reverse-engineered the real one to imitate it.
Depending on the app, you may be able to transfer some of the work to the server side. In other words, don't expose the raw data to the app, just expose the parts that the app is allowed to display. That way an attacker can't get anything by spoofing the app that they couldn't have gotten by just using the real one.
I actually came up with the idea to encrypt the request rather then the response.
this way a user can't spoof and send requests to the db.
I just thought that doing the encryption again might be doing too much for too little.

Passing values from Flash to ASP.NET

I implemented a kind of Bio metric login in Flash. Now, my flash is detecting person and authentication him. But all I need if after bio metric authentication some information to be passed from Flash to my ASP.NET as to initialize session.
Is it possible to pass authentication code from Flash file to ASP.NET page?
I've done something similar.
Keep in mind there's not much you can do to secure your application, as the .swf resides on the client and can be decrypted and decompiled. I'd recommend just storing an encrypted value in a cookie using a secret that keeps changing and read it from ASP.NET. It's no better than using an encrypted query string, though.
You can pass the values with url parameters
Here is how you open web page from flash
http://board.flashkit.com/board/showthread.php?t=140468

ASP.Net secure Ajax authentication

I want to make my ASP.Net site authentication seamless using Ajax call.
So I consider using client side authentication service of microsoft that should be used via HTTPS because it sends username and password in plain-text format.
And the problem is that I can't use SSL in my site.
So I found a way to hash data before passing to web service that is described here
but the problem is there is a salt in DB that should passed to client for creating hashed password (that equals to DB saved password). and this is not safe.
Is there a better way for doing that?
I found a way.
We will use RSA for encrypting username ans password.
in summery I'll have a web service that creates RSA keypair and save it (this key will be regenerated every day to be more secure).
I will have a textbox or hidden field that calls this service and get the public key.
the for encrypt username and password with jCryption library client side and pass this to my authentication service using ajax call.
so the server will decrypt them with private key and the authenticate user.
I found a way.
Check this out: Secure AJAX Authentication without SSL
Just in case you were looking for an ASP.NET version of jCryption for bi-directional communication, which you mentioned you tried, you can find one on GitHub here: jCryptionNET

Resources