authentication / non-repudiation

Discussions

Web tier: servlets, JSP, Web frameworks: authentication / non-repudiation

  1. authentication / non-repudiation (2 messages)

    i'm looking for a way to encrypt a string using javascript, in such a way that i can verify that the original string was "pure", that no one has tried to break the system, to redo the encryption manually using a "hacked" (changed) string.

    For any encryption, you need a key. I don't see how i can hide that key to a user that starts looking in the sources.

    Threaded Messages (2)

  2. Public Keys[ Go to top ]

    This is where you use Publick Key technology.
    You have a private key and a public key.

    The javascript has access to the public key which the secret key is kept secure on the server. What you are looking for is known as a message digest. Look up some of the security literature on Google for more information.

    -Dave
  3. all client side[ Go to top ]

    The problem is: it's an offline javascript application that is used to examine people. The correct answers are part of the exam definition, because the evaluation also is done offline. The score is written into a document, and should be saved by the user, to his local file system, ready to be transported later.

    1) i don't know how i can encrypt the correct answers safely, since the javascript needs to access the decrypted version.

    2) i also don't know how i can make sure that the score file is "original", and not a file created by a clever user who find out how to format such a file, by looking in the javascript code that does it.

    1) could be solved by not each correct answer offline, but an irreversibe hash of each correct answer. The evalution would compare the hash of the users input to the hashed correct answer. But we lose some "intelligent" feedback possibilities (like detecting the user had just one character wrong).

    2) this problem can imo not be solved by using javascript, because it's impossible to hide any key anywhere since it must exist offline. But maybe there are other possibilities, maybe browser-specific solutions?