How Does Password Encryption Actually Work? Illustration With a Typical Example

How Does Password Encryption Actually Work? Illustration With a Typical Example

Let's move on from thinking about which all places do we actually need to put encryption into action and how do we implement them? Except the possible encryption done with the Database end, there are 2 popular approaches of implementing encryption Body, which is done at the client side (usually the one we will mainly speak about in this article) and Two, that's done at the server side (i.e., the request carries the specific password and at the server it's encrypted to get processed further). Bcrypt Generator

The first sort of the two is obviously best to have as it eliminates the chance of the request being intercepted in the middle before it actually reaches the web/app server. Well... you'll be able to say that the data packaged inside a HTTP POST request is automatically encrypted in case there is HTTPS, but an extra degree of encryption will only enhance the security of the web application. Of course, the implementation really should not be too much time consuming otherwise the main advantages of having a more secure application will probably be ruled over from the frustration it might cause to its end-users.

Though, it depends upon the actual implementation, but likely the preferred choice (in highly secure systems) would be that the actual password should not be exposed anywhere in system, which suggests the encrypted password kept in DB is fetched and probably not decrypted back to actual password that the end-user uses, but instead another form which is matched using the decrypted one at the middle-tier to authenticate the consumer.

The entered password is first encrypted at the client side while using Public Key ('public key1' within the above diagram) and therefore the encrypted password reaches the App Server where it's decrypted a corresponding Private Key ('private key1' from the above diagram). App Server also fetches the password kept in the database, which can need to be decrypted using another Private Key ('private key2' from the above diagram). Now, the implementation from the algorithms and the generation with the keys should be such that both the decrypted passwords 'decryptedpwd1' and 'decryptedpwd2' should match equal for all your valid cases and they should be unequal otherwise. Bcrypt Generator

How can the encryption be implemented? Will JavaScript/VBScript suffice?

Next question arises, exactly how should we do it effectively possibly at the same time without consuming long? The fastest possible way would possibly be to have some mechanism set up so that the encryption can take place at the client side only. Okay, just how can the encryption take place at the client side? When we put both the encryption also definition along with the public key in the JavaScript (or VBScript) code and another can easily see everything simply by viewing the page source. Do you think that making the JavaScript external can solve your problem? As in you only declare the JS file if so and not list down the contents. Well... in case you did think this, you have to think again. A external JS file is also exposed for viewing from the clients as you can simply type the trail (if the path is absolute Or simply append the relative road to the roor URL) in the browser window and the complete JS will be there for you to be viewed. We'll see examples below. Evidently, the encryption won't really carry any benefit here.

How else can we do it at the client side? How good would Applets be?

Yeah... you got a better way of handling the situation. As we know that applets are also downloaded to the client machine and therefore are executed at client machine itself, so we can now make use of the Java programming language and its security mechanism for having the encryption implemented in the far better manner. What's probably an even more appealing about this approach is that you could NOT see the source in the applet class(es) directly. They are normally shipped in JAR bundles which gives an extra layer of security. You'll be able to claim that since the JARs are downloaded along with the .class file from the applet class runs from the vicinity of the client JVM therefore the bytecodes would certainly be available which may then be de-compiled to take a look at the source. Yeah, you're are right how the bytecodes are available at the client machine therefore it may be decompiled. But, why is this approach better than the JavaScript approach can be understood by following points:

 Bytecode tempering is automatically detected: appears to be intruder somehow gets their hands on the bytecodes and changes that, the changed bytecode will throw very while running whereas any such changes in the JavaScript (or VBSCript) source will not detected.
 Security Mechanism of Java is a bit more versatile: what we mentioned in the above point can also be an integral part of the Java Security mechanism, but it's not only limited to this. It is versatile and layered. No such benefit can be acquired with JavaScript (or VBScript).
 JVM supplies a far more consistent environment: bytecodes run in a Java Virtual Machine which obviously provides a far more consistent and stable environment than the environment in which JavaScript (or VBSCript) code runs.
 Impl of numerous public/private keys for every new request: you might be aware of the Secure Key concept which forms element of the password on many systems. The root idea in such implementations is always to have part of the password which ensures you keep on changing over a continuous basis and so making it virtually impossible for your attackers to reckon that. Similarly, if we want to intensify the encryption strength to an even higher level, we can easily put in place different public/private key combinations for each new request.