2

I have an application which uses AngularJs 1.5 as front end and .net framework as a backend. In my application, I have to store username and password on the database which comes from the front end.The requirement is:

  1. AngularJs will encrypt the password and send it to the backend
  2. On the backend, encrypted password will get stored in the database.
  3. In the backend code, there is a place where we have to call a third party web API and have to pass the username and decrypted form of password for authentication purpose.

Put it in a nutshell, front-end should encrypt the password and backend should have the ability to decrypt it.

I have analyzed many techniques for secure transaction of the password.

  1. Hashing: It is the best method to securely transfer a password.But the problem is, we can't reverse the hashed password to its original form.According to my requirement, I have to reverse the hashed password to its original form since we have to pass the original form of password for authentication to a third party API.
  2. The symmetric algorithm uses the same key for decryption and encryption.So it is necessary to share the key securely to front end and backend. It is not a good method if we hard code the key value on both sides.
  3. The asymmetric algorithm uses the public and private key for encryption and decryption respectively.So I think this is much more secure than above two techniques.Since an intruder who has public key can't decrypt the password.

I am new to encryption and decryption handling with AngularJS. My query is about key handling.How we can securely store the key both in front-end and backend rather than hard-coding them in the code.Is there any secure way for sharing these keys.Which algorithm is best suited for my requirement? (From my analysis, I found that asymmetric is the better option for this requirement).

halfer
  • 19,824
  • 17
  • 99
  • 186
Kesiya Abraham
  • 753
  • 3
  • 10
  • 24

1 Answers1

0

Not sure if this is still relevant to you, but here comes. These are quite high level and broad questions you are asking, so I'm providing you some general guidance.

I would definitely use asymmetric encryption for this. I'd most likely pick something like RSA OAEP which produces different cipher text on the same input each time thanks to the random padding. This way an attacker won't learn that much from the cipher text that he could manage to intercept.

The key exchange is a trickier topic as your end-user software most likely runs in a browser (being an Angular app). One way to handle this could be to wrap your public key in a certificate that can be verified in the browser.

There are also many other attacks and aspects you need to consider. For example how to protect your system against replay attacks and how to rotate your keys while still meeting your availability requirements. Covering all topics in this answer is not possible them to being too broad, so I leave it here.

quinz
  • 1,282
  • 4
  • 21
  • 33