javascript - RSA EncryptDecrypt in TypeScript - Stack Overflow

admin管理员组

文章数量:1344973

I'm using Angular 4 to make the front end of my application. I have implemented OAuth2 on my backend (developed with Spring in Java), so people using my application must be authenticated.

The thing is that we can see clearly the passwords from the backend server logs and it could be caught by a MITM until I add a SSL.

That's why I decided to encrypt the sent password with RSA. My backend is already ready, but I don't find any up-to-date libraries that provide a decent API for encrypt/decrypt from a RSA key-pair.

Also seen crypto module, but no longer usable on ECMAS6. The crypto-js one only provides AES and some hashing such as MD5/SHA.

I'm using Angular 4 to make the front end of my application. I have implemented OAuth2 on my backend (developed with Spring in Java), so people using my application must be authenticated.

The thing is that we can see clearly the passwords from the backend server logs and it could be caught by a MITM until I add a SSL.

That's why I decided to encrypt the sent password with RSA. My backend is already ready, but I don't find any up-to-date libraries that provide a decent API for encrypt/decrypt from a RSA key-pair.

Also seen crypto module, but no longer usable on ECMAS6. The crypto-js one only provides AES and some hashing such as MD5/SHA.

• javascript
• angular
• typescript
• encryption
• rsa

Share Improve this question Follow edited Oct 9, 2017 at 8:57 Romeortec asked Oct 9, 2017 at 8:40 RomeortecRomeortec 21111 gold badge22 silver badges1111 bronze badges 10

• There is nothing Angular specific. You can just search for the same question in JavaScript or TypeScript. – Günter Zöchbauer Commented Oct 9, 2017 at 8:44
• Why password exists in server log file? – yılmaz Commented Oct 9, 2017 at 8:48
• I already did it, nothing – Romeortec Commented Oct 9, 2017 at 8:48
• @yılmaz cuz it's the network logs, who cares. I just wanna add a security layer, I don't wanna send it clearly – Romeortec Commented Oct 9, 2017 at 8:49
• Also i am curious about how did you get password by mitm even you use ssl? – yılmaz Commented Oct 9, 2017 at 8:49

 |  Show 5 more ments

2 Answers 2

Sorted by: Reset to default 8

Finally found a way, after installed some.

npm install buffer
npm install crypto-browserify

Then use it

import {config} from "../app.config";
import {Buffer} from 'buffer/';
import * as crypto from "crypto-browserify";

export class RsaService {
  private privateKey: string;
  private publicKey: string;
  private enabled: boolean;

  constructor() {
    this.privateKey = config.authentication.rsa.privateKey;
    this.publicKey = config.authentication.rsa.publicKey;
    this.enabled = config.authentication.rsa.enabled;
  }

  isEnabled(): boolean {
    return this.enabled;
  }

  encrypt(plaintext: string): string {
    if (!this.enabled)
      return plaintext;

    let buffer = new Buffer(plaintext);
    let encrypted = crypto.privateEncrypt(this.privateKey, buffer);

    return encrypted.toString('base64');
  }

  decrypt(cypher: string): string {
    if (!this.enabled)
      return cypher;

    let buffer = Buffer.from(cypher, 'base64');
    let plaintext = crypto.publicDecrypt(this.publicKey, buffer);

    return plaintext.toString('utf8')
  }
}

Depending on where those network logs have been captured it is really possible to get back all the http pipe line in a pure text like, once the SSL works on a specific munication layer it's just listen the stream on a higher layer and boom, it's there, this is a answer for some ments above.

About the architecture itself, make pletely sense once you're worried to protect your data from unwanted eyes, so in a theoretical way I would suggest some approaches:

1) create your own encryption method and use it on both sides. A simple matrix multiplication could be useful, sound insane I know, but if it's a non critical flow I don't see any problem with that

2) use cryto-js on both sides as well, like, calling a javascript code portion from your java code to (de)encrypt the password

3) use a external authentication/authorization entity, like google, twitter, facebook, or a more enterprise solution like IBM BlueID, Azure or AWS or even your own domain controller for that, or even further you can use a external auth entity with your own domain controller, it's called Federation

I mean, there are several options to get it solved, since a very simple like making your own solution until a huge structure like, not sure where you are between those two points, but it's cool be aware with sensitive data.

本文标签： javascriptRSA EncryptDecrypt in TypeScriptStack Overflow