jCryption + CRAM are a good alternative to SSL?

Asked 22/11, 2011 at 23:5 Answered 4/5, 2019 at 17:34

Solved jquery ssl encryption challenge-response jcryption

I would like to know if jCryption + Challenge Response Authentication Mechanism are a good alternative to SSL.

I know that SSL is very much better, but I'm making a project where the owner don't want to buy a SSL certificate and, I would like to find a solution to give the best security approach that could be acquired without the use of SSL.

Any ideas?

Barbarous answered 22/11, 2011 at 23:5 Comment(1)

Use ssl, ship the product with your own certificate. – Wages 23/11, 2011 at 1:57

No, it's not.

Just off the top of my head, I can think of many reasons: HTTP headers are still unencrypted, the key exchange is vulnerable to man-in-the-middle attacks, and you're putting a high degree of trust in client-side code.

Just use a free SSL certificate from Startcom.

Planter answered 22/11, 2011 at 23:12 Comment(3)

But the only key passed to the client is the public key and it changes at every POST/GET. I forgot to say that the website should only work with JS enabled. – Barbarous 22/11, 2011 at 23:46

@CristianoSantos: It would be impossible for the client to know that the public key it has received is authentic (this is essentially what SSL certificates do). An attacker could change the public key sent from the server and send the client his public key -- a classic MITM attack. – Planter 24/11, 2011 at 5:16

Hmm, right. I didn't thought on that... Just to finish this topic, is it possible to know if the public key received by the client is authentic without using SSL? – Barbarous 24/11, 2011 at 11:58

In the info section of jCryption:

jCryption at it’s current state is no replacement for SSL, because there is no authentication, but the main goal of jCryption should be a very easy and fast to install plugin which offers a base level of security.

It's quite self-explanatory. This plugin is not a replacement for SSL in any way, nor is it meant to be. The goal is not high-tech security.

If you want security that can be trusted in any way, just buy an SSL certificate. Or make your own, if you wish.

Wholewheat answered 22/11, 2011 at 23:11 Comment(1)

I saw that. This is why my question puts CRAM together with jCryption. How bad is it in terms of security risk if the POST/GET data is encrypted with a one time only public/private key and the passwords of a login session are still encrypted because of the CRAM? – Barbarous 22/11, 2011 at 23:48

You can try using the Challenging Authentication-Agreement Protocol (CAAP). I suggest for the algorithms you use RSA and Serpent in CTR mode with a HMAC-SHA-512 authentication code appended to each message. This can be implemented securely with minimal knowledge. Although a nicely configured SSL system would probably be even easier and safer.

You can always start your own certificate authority internal to your organization if this is not a public facing server. That way SSL certificates will not cost you an arm and a leg.

Bove answered 23/11, 2011 at 1:15 Comment(2)

Didn't jCryption offer CAAP, using RSA and AES? – Barbarous 23/11, 2011 at 11:5

To my knowledge, no widely distributed software has implemented CAAP. At least not under that name. – Bove 24/11, 2011 at 23:2

jCryption intends to only offer a secondary protection to your sensitive data. SSL is always your primary encryption and protection mechanism.

As most websites are completely dependent on SSL certificate for protection, new ways are developed to hack or steal certificates. In an event that you certificate is stolen, you are exposed to man in the middle attack. And this is where jCryption comes into play. The hacker still cannot have meaningful access to your sensitive data if you have a secondary protection(kind of similar to 2-factor authentication).

Hope this helps.

Quipster answered 4/5, 2019 at 17:34 Comment(0)

Recommended topics

Hot tags