Geek asks and answers

Client side encryption - any recommendations / best practices. Point me in the right direction?

We have a requirement to encrypt the client part of the data in order to provide a "secure" channel between our client browser and the provider.

Basic premise: The provider generates a public / private key pair: VendorPub and VendorPriv

Our customers enter sensitive data. When sending javascript in the form, the sensitive part of the data is encrypted, what is sent to our server is VendorPub (SensitiveData).

We present this package to our supplier as VendorPub (SensitiveData), only they can use this data.

Regardless of the key length and the approved algorithms (RSA and 4096, respectively), and, of course, everything will be over an SSL connection ...

It looks doable, but I haven't scoffed at it yet ... Any suggestions? Traps?

Our development environment is Visual Studio 2k5 / 2k8 / ASP.net 2.0 or 3.0

thank

+1
source share
4 answers

Other answers currently seem to have missed the point: "We are passing this package to our vendor as VendorPub (SensitiveData), only they can use this data." In other words, you are a relay that processes data like a black box.

What you describe is doable if the amount of data is not very large. Remember that you cannot force users to wait for your JavaScript to be fixed.

RSA4096, , . 2048 3000 - 30 . , . - (DSA) RSA - , , () . , .

, , , JS.

, ; -, JavaScript, , , . .

+3

; .

RSA JS: http://www.ohdave.com/rsa/

+2

, ( ) , SSL- ( TLS).

, PK - MITM - . , , , - . , 1) SSL/TLS , 2) SSL/TLS . , .

, , SSL/TLS , .

0

So, the final answer: It is doable, fast enough and reasonably safe. However, since this is a PCI requirement to distinguish our environment, it failed because we will still use the encryption method, IE javascript, which will do the encryption, will be served from our system.

Thanks to everyone who came in.

Gary

0
source

More articles:


All Articles