Let's begin from thinking about which all places can we actually need to put encryption into action and the way do we implement them? Except the wide ranging encryption done on the Database end, there are two popular approaches of implementing encryption - One, which is done in the client side (normally the one we will mainly mention in this article) and Two, that is done at the server side (i.e., the request carries your password and at the server it's encrypted being processed further). Decrypt Bcrypt Online
The first kind of the two is obviously advisable to have as it eliminates the chance of the request being intercepted in the centre before it actually reaches the web/app server. Well... you can say that the data packaged in a HTTP POST request is automatically encrypted in case there is HTTPS, but an extra amount of encryption will only improve the security of the web application. Needless to say, the implementation shouldn't be too much time consuming otherwise the benefits of having a more secure application will probably be ruled over by the frustration it might provoke its end-users.
Though, it depends upon the actual implementation, but possibly the preferred choice (in highly secure systems) is that the actual password should not be exposed anywhere in system, this means the encrypted password saved in DB is fetched and probably not decrypted to actual password that this end-user uses, but instead some other form which is matched with all the decrypted one at the middle-tier to authenticate an individual.
The entered password is first encrypted in the client side with all the Public Key ('public key1' in the above diagram) and then the encrypted password reaches the App Server where it's decrypted a corresponding Private Key ('private key1' within the above diagram). App Server also fetches the password stored in the database, which might need to be decrypted using another Private Key ('private key2' in the above diagram). Now, the implementation from the algorithms and the generation in the keys should be in ways that both the decrypted passwords 'decryptedpwd1' and 'decryptedpwd2' should match equal for all your valid cases plus they should be unequal otherwise. Hash Bcrypt
How do the encryption be implemented? Will JavaScript/VBScript suffice?
Next question arises, exactly how should we do it effectively possibly at the same time without consuming long? The fastest possible way would possibly be to have some mechanism in place so that the encryption can occur at the client side only. Okay, so, just how can the encryption come about at the client side? When we put both the encryption also definition and also the public key in the JavaScript (or VBScript) code and the other can easily see everything by viewing the page source. Have you think that making the JavaScript external can solve your trouble? As in you only declare the JS file therefore and not list down the contents. Well... if you did think this, you still have to think again. A external JS file is every bit exposed for viewing with the clients as you can simply type the trail (if the path is absolute Or maybe append the relative route to the roor URL) inside the browser window so the JS will be there that you should be viewed. We'll see examples below. Evidently, the encryption won't really carry any benefit here.
How else can we do it at the client side? How good would Applets be?
Yeah... you got a better strategy for handling the situation. Inevitably that applets are also downloaded to the client machine and so are executed at client machine itself, and we all can now make use of the Java programming language and it is security mechanism for having the encryption implemented in the far better manner. What's probably a far more appealing about this approach is that you may NOT see the source in the applet class(es) directly. These are normally shipped in JAR bundles giving an extra layer of security. It is possible to claim that since the JARs are downloaded and also the .class file with the applet class runs inside the vicinity of the client JVM and so the bytecodes would certainly be available that may then be de-compiled to have a look at the source. Yeah, you're are right the bytecodes are available at the client machine also it can be decompiled. But, what makes this approach better than the JavaScript approach could be understood by following points:
Bytecode tempering is automatically detected: automobile intruder somehow gets your hands on the bytecodes and changes that, the changed bytecode will throw different while running whereas these changes in the JavaScript (or VBSCript) source will not be detected.
Security Mechanism of Java is a lot more versatile: what we mentioned in the above point is additionally an integral part of the Java Security mechanism, yet it's not only limited to this. The correct answer is versatile and layered. No such benefit is available with JavaScript (or VBScript).
JVM supplies a far more consistent environment: bytecodes run within a Java Virtual Machine which obviously offers a far more consistent and stable environment as compared to the environment in which JavaScript (or VBSCript) code runs.
Impl of public/private keys for every new request: you would probably be aware of the Secure Key concept which forms an element of the password on many systems. The root idea in such implementations is to have part of the password which will keep on changing with a continuous basis and thus making it virtually impossible for that attackers to estimate that. Similarly, if we want to boost the encryption strength to an even higher level, we can easily put in place different public/private key combinations for each new request.