15,114,302 members
Articles / Security / Encryption
Tip/Trick
Posted 10 Oct 2015

9.7K views
2 bookmarked

# Without SSL - Another Kick In The Whole

Rate me:
This tip shows an overview of how to send and receive something securely over the internet without SSL

## Introduction

Over the internet, everything could be read, even all codes or key values.

First, the best practice is to send a bank transaction over the internet with or without SSL is to complete with a kind of safe security field. That is, if an attack changes the amount of a transaction, the best practice is to add an encrypted field containing a hash key of SHA1 of the complete query.

For that, the solution is to use an asymmetric pair of keys: a public key is accessible for everyone and anyone can read the key; the private key is not to be known for anyone... this means that you have to keep your private key very securely... even, don't map a file containing your private key on the web server directory. Public keys are used to crypt and only for this. It means you must not encrypt something with a private key (because that doesn’t work); Private keys are used for decryption only.

For that example, the query must contain a supplementary encrypted field and the server decrypts it and then it generates a SHA1 of the query (without the encrypted field)... if both hash keys are not identical, then the transaction is cancelled else the transaction is checked to process one payment.

## Why That Could Be Useful?

Well, for example, you are a client on the internet and you have to send a password for your authentication. This password will be useful for communicating with the server securely. And, your password shall be so complicated, the encryption and the decryption shall be so complex that it works so well that never and never again your data will be caught or stolen.

But, to start it, you have to be agreeing between you as a client and the server... a server which is connected to the internet and you have to send all your data encrypted...even the HTML content.

Yes, this sounds like something as this is doing during war...when a message must be sent to the cavalry through the enemy line.

## Why is This Impossible?

Even with the best practices, other things cannot be done securely. For example, an initial decryption by a web browser is impossible if the client doesn't have his own certificate. And, this certificate should be valid, and a client cannot have his own certificate; this could be fine, but it's not possible to set a key for everyone... because... this set will make a security hole... Imagine, a 34 bit key... and one only value for 2 power 34 computers...???

## Background

This tip comes from a basic idea; if you are thinking to implement my idea, I have to give you a few chunks of design.

## An Overview Of What I'm Saying

For an example, this is what I’m trying to invent.

JavaScript
function crypt_base(a,b,o,i) {
o[i] = a;
o[i+1] = a+b;
}

function crypt(tab)
{
var i;
var output = new Array();
for(i = 0; i  < tab.length; i += 2) {
crypt_base(tab[i], tab[i+1], output, i);
}
return output;
}

function decrypt_base(a,b,o,i) {
o[i] = a;
o[i+1] = b - a;
}

function decrypt(tab) {
var i;
var output = new Array();
for(i = 0; i < tab.length; i += 2) {
decrypt_base(tab[i], tab[i+1], output, i);
}
return output;
}

This is a simple example of a plain text to crypt and decrypt but too simply to be used as a real encryption. This is just an overview of what I’m trying to invent. This could be fine if I generate something more complex with much more compute.

But unfortunately, such a function could be reversed again because each compute can be reversed: the reverse of the addition is a subtraction and the reverse of the multiplication is a division. Hence, any operation can be reversed.

Hence, I need to create something more complicated: for that, I need to lose information during encryption and for that I publish a function which has losing of information. And, to decrypt, I have to conserve these information which have been hidden in the encryption. A mathematical equation can be the waited behavior. For an example,

f(a,b) = a+b

This is a simple equation which obfuscates two parameters. Then, I give the results of that function into the encrypt function but these two parameters are staying hidden.

To decrypt, these two values are known; these two parameters must be needed to decrypt but to encrypt, I publish only the sum and I can't decrypt if I don't know these parameters' values. So, if I can't decrypt but I can encrypt only, this is secure.

Likewise, to decrypt, these two parameters are known, but the equation function is not published; so, if I can't encrypt but I can decrypt only, this is secure.

Each time I want to communicate securely between a web browser and a web server, new encryption and decryption functions are generated.

## Using the Code

If we want to securely send something from the client to the server, there is an opportunity of implementing a new algorithm:

“You program a generator which computes an encrypting function on the fly”

I explain to you some stuff:

It is possible to automatically generate a JavaScript function from the server which transforms a plain text in a crypt text to send. What kind of function and what kind of encryption is to use?

But, suppose we have that function. What could we do with it?

The client calls the function, and the result is a crypt text and then, the client sends this result to the server. But, how the server will decrypt this text?

### Encryption Function Made by the Server

Since before, the encrypt function was generated on the fly by the server. We need to write an encrypt function that matches the decrypt function. That function is only handled by the server. A unique data model is first generated, and this data model is kept into the session state and then the server is sending his HTML text with the JavaScript source code containing the encrypt function in order to give the ability to the client to encrypt something.

Well, it's seems to be interesting because there are several checks against an attack:

1. The server keeps a different data model into each session state; it works for any connection.
2. The server keeps closely the decrypt function; the client cannot read that function.
3. The client just has a JavaScript function to encrypt text.
An attacker could send something by running that function to encrypt what it wants, but there is no big risk... because the server will not be able to understand the decrypted text that the attacker would wanted to say. That's why the attacker should say something good... like the good ID for an existing user, the good password for authentication...and for example, the good captcha code. Therefore, the attacker has nothing to gain to do this stuff.
4. The function JavaScript is executed rapidly by the web browser. The client encrypts what it wants to send.
5. The function JavaScript is unique at each connection, and then this function is always different.
6. The server has a unique data model and can then decrypt any encrypted text received from the client.
7. The encrypted string is sent on the Internet.... a man in the middle can change something in the stream but the decryption will fail or all data will not be understood by the server.

## Reverse Purpose

It seems that we can reverse this process in two ways.

Either the client decrypts some texts or else the client generates two functions to crypt and decrypt on the fly and send it to the server.

### First Reverse Idea: Sending a Crypted Text to the Client

The server constructs a new function JavaScript to the client and gives to it the ability to decrypt what the server said. The server keeps in private the function for encrypt and gives only to the client the function for decrypt. The server crypts what it says and then it sends to the client the result. Later, the client decrypts and does his job as a normal web page.

### What Kind of Interesting Things Can We Send to the Client?

Of course, we could send a new password to the client again. Yes?... this could be fine... the server gives your password by an encrypted string, you decrypt and get password, now you keep your new password securely and then when you connect again on the web site, you take not account your authentication because you are giving something which you already have. Your password is send securely with the previous design of this security concept and then everything goes ok.

As you already have an encrypt function which you have been given before by the server side, you crypt your information and the server will decrypt it later when it will use his decrypt function that matches with his existing data model retrieved in the session state.

### Second Reverse Idea: The Client Creates These Functions

Well, these things couldn't be realized one decade ago. The client writes something like a script which declares an algorithm to encrypt/decrypt something by the server. The server must know how to execute this script. As a result, for instance, and a decade before, it was impossible for a server to execute a script designed by the client; first, because of security issues but also, because no script could not be able to be executed over all heterogeneous servers (note, the web works with heterogeneous computers).

Now, we have the tool: node.js.

With node.js, you can generate and send over the internet some JavaScript scripts and the server knows how to execute it securely with this new existing script engine designed four years ago (at least).

Quote:

And, also, your browser generates a string script and sends the string to the server and the server executes the script. The client keeps in private the data model (try JSON) which is created and written in JavaScript. The designed security program is easy, portable, readable, clear, and embeddable and, works fine into the client but also into the server.

## What Kind of Data Model?

Yes, again, there is an unsolved problem; I had not said myself about the functions to encrypt and decrypt. I'm doing it now.

### An Integer, What Is It?

A text is always encoded by integers. An integer is strictly defined as a set which the cardinal is N, from zero to N-1. Even, an integer is represented by a binary base: Z bits at 0 or 1 where N = 2z.

You could define an integer as a separate of 0<k<z successive bits and each value is strictly defined as a set which the cardinal is 2k.

The function to encrypt/decrypt is just doing this implementation: any successive values have computed by addition, substraction, multiplication, division, bitwise AND, OR and X-OR operators. Especially, you can add unary operators like NOT, + and -.

### Keep Data Without Losing Information

Recall in mathematics, that if you are doing an addition of two numbers and you keep only the result, you are losing three pieces of information from this previous action:

1. the first operand
2. the second operand
3. the operator

Regardless about mathematics, to avoid any missing information, you must keep two numbers on three in order to recompute the opposite operation to retreive all initial information.

### Create a Lack of Information for Security Reasons

Like I have explained before, I use a mathematical equation to create parameters as numerous as I want to. And, I compute at each time as I want several values as numerous as I want and I combine with integers I need to encrypt.

To create realistic encryption and decryption functions, I automatically generate these functions; and random numbers are used to generate as long as I want new functions.

## Points of Interest

This is great implementing a function in JavaScript to crypt/decrypt everything between a server and a client without the needs of SSL.

## Share

 Software Developer (Senior) NoComment France
No Biography provided