0

I need to generate a key with a passphrase in jsp using PBKDF2WithHmacSHA1 algorithms, CryptoJs library, then I use this key to encrypt the user login password and pass to server, and in the server, generate the key again and decrypt the user login password.

I know I should not pass the passphrase or key from client to server through http during login, but can I save the passphrase in login jsp page? if not, how can I use the passphrase to generate key in jsp?

even use a javascript variable to store the passphrase, the user can still use javascript debug mode to watch the passphrase variable value, so I think no method to hidden the passphrase value in jsp, any method?

Or is the design of encrypt login password in client side using javascript has problem?

user1169587
  • 1,104
  • 2
  • 17
  • 34

1 Answers1

0

No.Generate a one-way hash on the server for the user's input (using best practice, including a safe hashing algorithm and salting). Compare any future user input against that hash by generating a new hash with the user's input using the same algorithm, then compare the two hashes

Kuffs
  • 35,581
  • 10
  • 79
  • 92
eyelidlessness
  • 62,413
  • 11
  • 90
  • 94
  • then how to generate the key in jsp? – user1169587 Dec 30 '13 at 09:07
  • > Compare any future user input against that hash by generating the > hash with the same algorithm yes, then how to generate the same hash in jsp without storing the passphrase in jsp? – user1169587 Dec 30 '13 at 09:16
  • Edited: Generate a one-way hash on the server for the user's input (using best practice, including a safe hashing algorithm and salting). Compare any future user input against that hash by generating a new hash with the user's input using the same algorithm, then compare the two hashes. – eyelidlessness Dec 30 '13 at 09:17
  • @user1169587, you only store the hash. You must compare any future input from the user by generating a new hash and comparing the new hash against the original. – eyelidlessness Dec 30 '13 at 09:19
  • I still do not understand, in generating a new hash in jsp, I need to generate the key in jsp, then I need the passphrase in jsp... – user1169587 Dec 30 '13 at 09:21
  • `function hash(passphrase) { ... }` <- Write this function first. Then call this function for generation of the stored hash. Then call it again for comparison when the user submits a potentially valid passphrase. – eyelidlessness Dec 30 '13 at 09:23
  • hash(passphrase), but in jsp, user can use debug mode and watch the value of passphrase parameter? – user1169587 Dec 30 '13 at 09:27