Wednesday, December 2, 2015

Encryption on UI and Decryption on Server using Spring with AES 128 bit algorithm


Problem taken
Perform encryption of sensitive data at client/UI side using java script and perform decryption at Server end.

This is again debatable but most of enterprise applications; specially Banking applications; demands client side encryption for their sensitive data.

I had a discussion with some technical personalities in my current company as well and reached to conclusion that applying encryption at UI or Javascript side is really a very weak choice.  
Reason - To perform encryption at client side that means on UI via Javascript, Server needs to send secret key at client side and this is the place where integrity can be compromised.  There is no other way.

Still I am writing this blog where I personally made some tweaks to make algorithm little bit random in nature so that it takes more time for some one to crack.

Technology stack

Proposed Solution
With the use of Crypto JS Interoperable encryption library certain fields which carry sensitive information will be encrypted by the system (on UI/Server) and will be decrypted at another system (Server/UI).  Once decryption performed successfully, process will be carry forwarded; and in case of failure request will be discarded.

In creating encrypted value for a data there are few parameters that are required by Crypto JS library which are:
·        secret-password
·        iv
·        salt 

All these three variables will be generated randomly for each encryption request.  System time will be taken into account along with HTML encryption to ensure uniqueness.  

Ex of encrypted data
“Text to encrypt” 
            encrypted to 

Complete Flow

UI Side
  1. Time stamp is generated
  2. A Random number is generated
  3. Time stamp multipled with random number
  4. Then above data converted to hexadecimal
  5. Then same data is converted to hexadecimal conversion as per ascii table for non-numeric characters, ex. '%65' for 'A'
  6. This encrypted string will be used as key (pass-phrase)
  7. IV will be generated randomly
  8. Salt will be generated randomly
  9. Cipher Text will created using IV, Salt and Key
  10. Now we have 6 parameters (cipher-text, iv, salt, pass-phrase, iteration-count (constant), keysize (constant))
  11. These 6 parameters will be added as a string but every time at random position and there positions will be given to server as well.
    1. Positions will be generated in numeric way as below
    2. Ex. 043512 or 120354 or 403512 …
    3. Now out of these 6 digits we will pick any 3 digits at random and convert into corresponding char like ‘a’ for 0, ‘b’ for 1 etc
    4. Ex 043512  -> 0ed5b2
  12. This position string will be appended to encryption string and send to server

Server Side
  1. Server will split values based on delimiters (COMMA)
  2. Then take final variable which will be representing there indices
  3. Character will be converted to number
  4. Final parameters will be retrieved
  5. CipherText will be decrypted using "AES/CBC/PKCS5Padding".
Ex. of a encrypted (Green is separator and red are positions) text ce8ebf95d268caa811830afa922d92dc__bcdef567kop48__2227026d7ef9a18dae6394332378d40c__bcdef567kop48__128__bcdef567kop48__1000__bcdef567kop48__/+PdrEhznCcTEb/r+vlilA==__bcdef567kop48__%31%34%66%65%65%65%66%36%33%31%301vjqgqutx8fyb1ulwsx3s5ef74__bcdef567kop48__1,c,5,d,4,a

Complete code with sample is present at my GitHub.