Discussions

Web tier: servlets, JSP, Web frameworks: Very Urgent!All about Security

  1. Very Urgent!All about Security (2 messages)

    Hello ,
      For sending the data across the network in the encrypted format in web,the ssl implementation will do that.But I wanted to sent the
     password field in encrypted format.Consider the client sending
     request for the myform.htm where he enters the username and password.
     After submitting the form the data from the myform.htm should
     go in encrypted format,so I included an applet Sapplet which
     contains the MessageDigest class and generated the encrypted data.
     The coded form of password can be viewed at the querystring after
     submitting the form.But how to validate it at the server which
     containd the actual password stored,What is required to decrypt the
     data and compare it with the password stored in the database.
        The request goes to the login.jsp from the the myform.htm.
     How should be the jsp coded?
     thanks
     regards vicky.

    Threaded Messages (2)

  2. Very Urgent!All about Security[ Go to top ]

    In that case you shall do the following :

    1. Generate the key pair when the jsp page is called.
    2. Send the private key to the user which can be used for encryption.
    3. The encrypted message can reach you and you can decrypt with the public key.

    So even in between the whole encrypted doc is exposed there should'nt be any problem.

    You can use the standard JCE package for implementation of the above program.

    Trust U get it.

    Reg,
    Shankar Raman
  3. Very Urgent!All about Security[ Go to top ]

    Hi Shanker,
      The concept is clear but please correct in the following
     proceeding which I will work with.
     Considering the encrypted password to be send to the server.So the client is request is being send to the
     login.jsp.Now in the login.jsp the keys will be generated
     amoung which the public key is send back to the client,so
     once you said the key I believe it to be .class file
     and the object should work at the client place,for which
     the .class file has to loaded at the client side.Is the
     loading of .class file(keys) be done only by loading
     the applets.
     After loading the public key at the client browser the
     submittion of the login form should ENCRYPT the password
     with the keys class of the Applet.So the data goes in the
     secure format to the server.
     At server the string format of the encrypted password
     can be acheived which has to be converted to appropriate
     object(which I dont know) in order to get the decrypted
     password.That is it.
     Is the flow right?
     Also once we get the certifacate and send it to the
     client does the public key within the certificate does
     all the encryption at the back ground?
     Plese let me know about this
     regards vicky