ECMAScript Secure Transform

• Author

First I'm sorry. I'm not English. I'm Persian. I'm apologize for mis in write this idea.
In this time (21/09/2008) I have a little think for transforming data in web 2 applications with client and server same encryption algorithm.
I call that the ECMAST. and I will being rename it latar. :D
Maybe it's a old way but i work with many JavaScript library (jQuery, Dojo and etc ...) but they do not have this method for secure transforming data.
Lock at the my idea and post a comment for this idea:

• What's the ECMAST?

ECMAScript Secure Transform (ECMAST) is the server and client side technique for the transforming web 2 data (forexample XML and JSON) with security without SSL.

• What are you need?

The same crypt algorithm in both server language (PHP, ASP ant etc ...) and ECMAScript (JavaScript and etc...) for encryption and decryption data. for example RC6-256
Cryptography Key that can be a hash of this contents:
This is optional for your encrypt/decrypt key (Complex define of key increase your security)
- Session IdentifierThat the key of the session store in cookie with the session id name and the value of that
  This is the recomended way for get the same key, for cryption algorithm that the server languege and client script have it for accessing the orginal data.
- User agent The string of browser user agent that available in both client and server
- XMLHttpRequest Load the static key from server with Ajax technique for sum in hash algorithm.
- and much more ...
  Post a comment for about the great hash key

• Why this technique?

For the web pages that must have the secure transforming data with the component of web 2 without SSL. for example Ajax.

• It's 100% Secure?

No, because the key of your hashing is avalible in client side.
But your data will be going on the net with the security and the ISP and the Gateway between of your server and the client couldn't process it. That will much increase your transforming data in your web 2 aplication data.

ECMAST » Pattern

Figure 1

Note:
The yellow circles are the number of the operations
In default I use PHP as the server language and JavaScript as the client script.

1 & 2 : Sending request to server and start process

The server have start the process and the generate the session id:

 <?php
 
  define('ECMAST_CHECKSUM', 'Peace For Ever'); // checksum value
 
  session_start();
  
  $a = array(
   'errorControl'   => ECMAST_CHECKSUM, // the one key is for checking sum of good cryption and decryption data
   'name'           => 'Cyrus',
   'country'        => 'Iran',
   'creditpassword' => '123456789'
  );
  
  
  $cryptionkey = md5(session_id() . $_SERVER['HTTP_USER_AGENT']); // cryptionkey
  
  function encryptor($data, $cryptionkey) {
  	// return encrypted data that crypted with the $cryptionkey as the key
  }
  
  echo base64_encode(encryptor(json_encode($a))); // place base64 for standardization code
  
  // VGhpcyBpcyBhbiBlbmNvcyBhbiBlbmNvcyBhbiBlbmNvcyBhbiBlbmNvZGVkIHN0cmluZw==

The header of server response look like this:

Date:         Sat, 20 Sep 2008 23:58:17 GMT
Server:       Apache/2.2.9
X-Powered-By: PHP/5.2.6
Set-Cookie:   PHPSESSID=cfe7d97a6e10e706121255bdff0c8e7a; path=/ 
...

PHPSESSID's value is the part of key.

3: On the air with the secure

Your data move around any server in the way for going to the client with encryption.

4, 5 & 6:

Your data decrypt and processed with client script and send the result to the server.

<script type="text/javascript">
 function keyLoader() {
  /*
  * load static key from server for including in algorithm
  */
 }
 function encrypt(value) {
  /*
  * encrypt key is the cookie ˜PHPSESSID˜ value : cfe7d97a6e10e706121255bdff0c8e7a
  * and user agent and static value from keyLoader().
  * base64 encoder for standardization code
  */
 }
 function decrypt(value) {
  /*
  * base64 decoder for reach the orginal of crypted code
  * decrypt key is the cookie ˜PHPSESSID˜ value : cfe7d97a6e10e706121255bdff0c8e7a
  * and user agent and static value from keyLoader().
  */
 }
 
 function cryptLoader() {
  /* 
  * 1. load data with XMLHttpRequest object 
  * 2. decrypt(XMLHttpRequest);
  * 3. check ˜errorControl˜ for the static value : ˜Peace For Ever˜
  * 4. if true encryption operation return value else error message
  */
 }
 function fillme(object) {
  var data;
  data = cryptLoader();
  // object.value() = data;
 }
 function sendme() {
  /*
  * 1. get data of object // in this example ˜textarea˜
  * encrypt( ˜ value of textarea˜);
  * 2. setup the checksum of data // ˜errorControl˜ = ˜Peace For Ever˜
  * 3. sending with XMLHttpRequest
  */
 }
</script>
<textarea onclick="fillme();"><textarea>
<input type="button" onclick="sendme();" />

7: On the air with the secure

Your data move around any server in the way for going to the client with encryption again.

8 " 9: Decrypt and process

Your data has been decrypted and ready for process

 <?php
  session_start();
  
  function decryptor($data, $cryptionkey) {
  	/*
	* process to decrypt that $cryptionkey as the key
	* check for the checksum ′Peace For Ever′.
	* return
	*/
  }
  
  // for example you send data in POST method
  $data = decryptor(base64_decode($_POST['data']));
  // ready to process
  ...

It's simple. Huh?

Development help:

Functions and classes in Server side langues such as the PHP for encrypt and decrypt data.
Mcrypt Encryption Functions is great for use in PHP
Functions and classes in ECMAScript such as the JavaScript for encrypt and decrypt data.
We need it.

Post Comment

About me

My name is Muhammad Hussein Fattahizadeh. I'm web designer, developer and programmer, also I'm 23 and the programmer that enjoy to using the free and opensource tools to writing the codes.

contact me : semnanweb [ AT ] Gmail [ DOT ] com
Semnan Web