I have been using jCryption for a secure login. On the client i am using the JavaScript package and on the Java decryption i am using BouncyCastle jar to decrypt.
The problem is that it works OK in Tomcat but when i take the same webapp and deploy on Jboss i am having problems loading the BouncyCastle jar.
My question is: is there a way to encrypt using jCryption that will produce a more standardized RSA output which will allow me to use other security providers?
On
Generally speaking, if you want security, avoid JavaScript cryptography, use SSL/TLS instead.
The main problems are:
You're not actually adding much security by using JavaScript cryptography on your website unfortunately.
On
Here is the snippet for RSA decoding compatible with jCryption. We assume that encExternalKey is what jCryption send in key parameter on handshake call. modulus and secretExponent are taken from 100_1024_keys.inc.php file that comes with jCryption.
RSAPrivateKeySpec privateKeySpec =
new RSAPrivateKeySpec(new BigInteger(modulus, 10), new BigInteger(secretExponent, 10));
RSAPrivateKey privateKey = (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(privateKeySpec);
Cipher cipher = Cipher.getInstance("RSA/ECB/NoPadding");
cipher.init(Cipher.DECRYPT_MODE, privateKey);
StringBuilder externalKeyBuf =
new StringBuilder(new String(cipher.doFinal(new BigInteger(encExternalKey, 16).toByteArray())));
String externalKey = externalKeyBuf.reverse().toString().trim();
jcryption isn't as secure as you might think:
http://www.securityfocus.com/archive/1/520683
My recommendation... do something similar to this:
http://www.frostjedi.com/terra/dev/rsa/index.php
The following URL elaborates:
http://area51.phpbb.com/phpBB/viewtopic.php?f=84&t=33024&start=0