8

I'm using Angular 4 to make the front end of my application. I have implemented OAuth2 on my backend (developed with Spring in Java), so people using my application must be authenticated.

The thing is that we can see clearly the passwords from the backend server logs and it could be caught by a MITM until I add a SSL.

That's why I decided to encrypt the sent password with RSA. My backend is already ready, but I don't find any up-to-date libraries that provide a decent API for encrypt/decrypt from a RSA key-pair.

Also seen crypto module, but no longer usable on ECMAS6. The crypto-js one only provides AES and some hashing such as MD5/SHA.

Romeortec
  • 211
  • 1
  • 2
  • 11
  • There is nothing Angular specific. You can just search for the same question in JavaScript or TypeScript. – Günter Zöchbauer Oct 09 '17 at 08:44
  • Why password exists in server log file? – yılmaz Oct 09 '17 at 08:48
  • I already did it, nothing – Romeortec Oct 09 '17 at 08:48
  • @yılmaz cuz it's the network logs, who cares. I just wanna add a security layer, I don't wanna send it clearly – Romeortec Oct 09 '17 at 08:49
  • Also i am curious about how did you get password by mitm even you use ssl? – yılmaz Oct 09 '17 at 08:49
  • I was meaning, it's currently possible to catch it, until I add a SSL later – Romeortec Oct 09 '17 at 08:51
  • there is microsoft javascript crypto library (MIT licensed) : https://www.microsoft.com/en-us/download/details.aspx?id=52439 which provide rsa encrypt/decrypt – Regis Portalez Oct 09 '17 at 08:59
  • This has problems way beyond RSA and Typescript. If you're a modern company, you don't collect passwords in plaintext, period. It's not a debate, just like if you're at a shooting range you don't shoot your friends. Passwords should be collected and sent as hashes in a modern cryptographically-secure hashing system like bcrypt or scrypt, or at bare minimum sha256 to ensure passwords can never be recovered or intercepted in plaintext. I'd do my best to make sure your company or whoever built the system you're working on knows this, as you're opening yourself up to loads of issues. – TheEnvironmentalist Oct 09 '17 at 09:02
  • @TheEnvironmentalist you're right, but the MITM doesn't care what you're sending over the wire - if they get a *hash* they can submit to make malicious requests on your behalf instead of a *password*, so what? Password salting and hashing is more about the *storage* in the backend database. Protecting the password *in transit* is about connection security: https://stackoverflow.com/a/37707074/3001761 – jonrsharpe Oct 09 '17 at 09:12
  • + there is no hash by default, I have to call a ldap (active directory) from my backend – Romeortec Oct 09 '17 at 09:21

2 Answers2

8

Finally found a way, after installed some.

npm install buffer
npm install crypto-browserify

Then use it

import {config} from "../app.config";
import {Buffer} from 'buffer/';
import * as crypto from "crypto-browserify";

export class RsaService {
  private privateKey: string;
  private publicKey: string;
  private enabled: boolean;

  constructor() {
    this.privateKey = config.authentication.rsa.privateKey;
    this.publicKey = config.authentication.rsa.publicKey;
    this.enabled = config.authentication.rsa.enabled;
  }

  isEnabled(): boolean {
    return this.enabled;
  }

  encrypt(plaintext: string): string {
    if (!this.enabled)
      return plaintext;

    let buffer = new Buffer(plaintext);
    let encrypted = crypto.privateEncrypt(this.privateKey, buffer);

    return encrypted.toString('base64');
  }

  decrypt(cypher: string): string {
    if (!this.enabled)
      return cypher;

    let buffer = Buffer.from(cypher, 'base64');
    let plaintext = crypto.publicDecrypt(this.publicKey, buffer);

    return plaintext.toString('utf8')
  }
}
Romeortec
  • 211
  • 1
  • 2
  • 11
-6

Depending on where those network logs have been captured it is really possible to get back all the http pipe line in a pure text like, once the SSL works on a specific communication layer it's just listen the stream on a higher layer and boom, it's there, this is a answer for some comments above.

About the architecture itself, make completely sense once you're worried to protect your data from unwanted eyes, so in a theoretical way I would suggest some approaches:

1) create your own encryption method and use it on both sides. A simple matrix multiplication could be useful, sound insane I know, but if it's a non critical flow I don't see any problem with that

2) use cryto-js on both sides as well, like, calling a javascript code portion from your java code to (de)encrypt the password

3) use a external authentication/authorization entity, like google, twitter, facebook, or a more enterprise solution like IBM BlueID, Azure or AWS or even your own domain controller for that, or even further you can use a external auth entity with your own domain controller, it's called Federation

I mean, there are several options to get it solved, since a very simple like making your own solution until a huge structure like, not sure where you are between those two points, but it's cool be aware with sensitive data.

Quirinux
  • 310
  • 2
  • 7
  • 8
    *"create your own encryption method"* - that is awful advice. See e.g. https://security.stackexchange.com/q/18197/72084 – jonrsharpe Oct 09 '17 at 09:26
  • No point in creating your own encryption when so many are out there and doing fantastic work. Creating your own is for lazy developers who don't wish to learn a new langauge/library/feature – Devaffair Mar 07 '18 at 14:59