Encryption Java script (long question)

0 like 0 dislike
7 views
Or the flash. Or Silverlite. Or something else, but on the client side. Happen?

Prelude:
The full question sounds like this: there are 10,000 shops. For practical purposes they want to share information about purchases, "and you have the same buyer?". There is a single center, which will conduct the comparison. But none of the network members do not trust neither the center nor each other. To pass specific data about your customers, nobody wants. Then there is the idea: each store separately considers the hash all fields (customer name, card number, address,...) and merges them into one single center, where he reported and that there is someone else in the network. This, in theory, the trust problem solved.

Act:
To calculate the hash on the server side is possible, this problem will be removed, but the implementation of such a mechanism requires the intervention of programmers. And out of 10,000 participating stores, the vast majority of such opportunity is not present or it seems to them too gemoroyno. They would like to have something like Google Analitichnogo code for checking out code, which is relatively easy to build, but still would not transfer customer data in the clear center, because they did not believe.
Here it seems to me that in principle it can be done (not taken into account while the complexity of the script). Total of the first part of the question, for form's sake asked: am I right, is it possible?

Heavy part:
What about the authorization? If all the hashing is done on the client side, how to make so that an outsider attacker can shove the left data into the system on behalf of one of the shops? While not touching (or minimizing) executable scripts on the server side of the store.

Of home explanation: now you have a store on Yahoo Store. Does not allow you Yakha touch your server. Java script unable to enter in the page of checking out code. But no more. And to live as it is necessary.
by | 7 views

7 Answers

0 like 0 dislike
To implement any hashing algorithm (md5, sha1, etc). But: if the script will have access to all the information that needs to be encrypted, without analysing the script you can't tell, not if he sends it all in the clear. Besides, in order to provide script information about the name of the user, the card number and address, that's still going to have to extract from any of the database on the server. And this is work with server part.
\r
\rRead. Perhaps it would be better if all the logic definition user will lie to You, and the client will only need to add the script.
by
0 like 0 dislike
Imagine how all be simplified if there is a server that everyone will trust.
And "dead souls" possible bundles in the center to send.
by
0 like 0 dislike
Hashes, md5 and sha1: pajhome.org.uk/crypt/md5/
Symmetric 3DES: www.tero.co.uk/des/test.php
Asymmetric RSA: www.ohdave.com/rsa/
here all that is necessary for the soul.
ps. the idea that you will not understand (what you want-what data to merge, who cares, who to trust and who not?) but it means, I think, all that may be necessary.
by
0 like 0 dislike
Assessing the space of the room issued Bank cards 26-bit, names 13 bit name bit 13 (dobukvenno card, to avoid the problem of typos)) we get about 52 bits. Considering that to check the salt should be the same for the entire system, revealed the threat to build rainbow tables for your system.
\r
If you add an address, there are many problems with typos.
\r
Perhaps add the expiration date and the day of birth of the buyer (it's hard to enter these figures wrongly) will spread the set of values for a calculated limit, but all the same, threat values are very close (on the edge).
\r
The threat of stuffing a fake data store-a system participant or a third party attacker can't see — in the space of the hash function in 128-256 bit doesn't have the capability "to nabrasyvanii" before the actual collision.
by
0 like 0 dislike
You would use javascript to read the hash on the required fields, and send to the center, which will analyze and compare the hashes.
\r
In order for an attacker "could not shove the left data into the system on behalf of one of the shops" it would be possible to sign send the hash with the private key of the store. But if you do it all with JavaScript, the key need to store in a place accessible from JavaScript, and therefore any of the buyers with FireBug can obtain the private key for signing.
by
0 like 0 dislike
In order for an attacker "could not shove the left data into the system on behalf of one of the shops" it is better to use client certificates — user-friendly and do not need development — access restriction works at the level of the browser and the web server.
by
0 like 0 dislike
Heavy part:
What about the authorization? If all the hashing is done on the client side, how to make so that an outsider attacker can shove the left data into the system on behalf of one of the shops? While not touching (or minimizing) executable scripts on the server side of the store.
\r

It's not the hard part. This is the main reason not to do such a stupid thing.
The code on the client is opened with all the consequences.
by

Related questions

0 like 0 dislike
4 answers
0 like 0 dislike
4 answers
0 like 0 dislike
6 answers
110,608 questions
257,186 answers
0 comments
28,648 users