Thursday, August 29, 2013

Re: Javascript encoding and python decoding and vice versa

On Wed, Aug 28, 2013 at 7:53 PM, Samantha Atkins <sjatkins@gmail.com> wrote:
> We all know about SSL so stop the lectures please. Sometimes you simply
> want to reasonably encrypt on client and decrypt on server and for one
> reason or another SSL is not an option.

SSL is always an option, you are just not choosing it. Using JS crypto
is fine, assuming you do all the appropriate things that SSL does in
order to transmit a secure session key to the client. If you don't do
that, you might as well use ROT-13 encryption.

On Wed, Aug 28, 2013 at 7:51 PM, Samantha Atkins <sjatkins@gmail.com> wrote:
> So if I use sjcl.encrypt at browser then how do I do the equivalent of
> sjcl.decrypt in python at server side. That is what the original question
> was asking as I read it.

Since there is no such thing as 'sjcl.encrypt', there is no answer to
this. If wanted to use CryptoJS's AES encryption however, you could do
something like this on the client (as taken from the linked docs...):

<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/aes.js"></script>
<script>
var encrypted = CryptoJS.AES.encrypt("JS crypto is daft", "Secret
Passphrase");
</script>

And then, the purpose of using STANDARD crypto comes clear, you use
the py-crypto library to decode

from Crypto.Cipher import AES
import binascii

key = 'Secret Passphrase'
ciphertext = binascii.unhexlify(encrypted_string)

decobj = AES.new(key, AES.MODE_ECB)
plaintext = decobj.decrypt(ciphertext)

I've not tested any of this, CryptoJS might not use ECB by default.

All of this, of course, does not take in to account my first warning
about key exchange. Without effective key exchange, your "secret"
passphrase is passed over the internet in the clear, meaning anyone
who wants to defeat your encryption needs only monitor that and your
encrypted data, and effectively your content is not encrypted at all.

Just use SSL. I'm sorry if you feel that advice is unhelpful, it
really isn't. See this answer for fuller explanations:

http://stackoverflow.com/questions/9833527/client-side-encryption-over-http-with-diffie-hellman-key-exchange-and-aes

Cheers

Tom

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.

No comments:

Post a Comment