- Why the Need for Encryption?
- A First Attempt: Encoding Text
- Building a Stronger Key
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Building a Stronger Key
The problem with the encryption scheme in Listing 2 is that the most important part—the key—is hard-wired into the code. A savvy user need only examine the code, see that XOR encryption is being used, and then use the key to reverse the encryption in the same way that the decrypt_cookie() function does.
To strengthen this scheme, you need to set things up so that the key is not visible in the code. This means that you need to base the key on a password or other value that the user must enter. This text is called a keytext.
Given a keytext, what you'd then do is generate a numeric key as follows:
When you're encrypting the first letter of the plaintext, use the first letter of the keytext to generate a key.
When you're encrypting the second letter of the plaintext, use the second letter of the keytext to generate a key.
Continue until you reach the end of the keytext, and then start over from the beginning of the keytext.
Continue until the entire plaintext is encrypted.
Listing 3 shows a function that generates a key in this fashion.
Listing 3: Encrypting and Decrypting Using a Keytext
<script language="JavaScript" type="text/javascript">
<!--
var keytext = prompt("Enter the keytext (no spaces):","password")
var keytext_index = 0
function generate_key() {
// Get the current keytext character
var keytext_character = keytext.substring(keytext_index, keytext_index + 1)
// Increment the keytext_index and reset if necessary
keytext_index++
if (keytext_index == keytext.length) {
keytext_index = 0
}
// Get the character's location in the string of legal characters
keytext_location = legal_characters.indexOf(keytext_character)
// Make sure the key is >= 2 and <= 31
var encrypt_key = (keytext_location % 30) + 2
return encrypt_key
}
//-->
</script>
The script begins by using the prompt() method to get the keytext from the user. (If you're implementing a password protection scheme, you'd wait until the password is verified and then assign it to the keytext variable.) The variable named keytext_index keeps tabs on where we are in the keytext string.
The generate_key() function begins by using substring() to extract the current keytext character based on the value of keytext_index. Then keytext_index is incremented and tested with an if() statement. If keytext_index is equal to the length of keytext, then it means we've reached the end of the keytext, so the index is reset to 0.
The keytext character's location in the string of legal characters (see Listing 2) is calculated using indexOf(). However, recall that the key must lie between 2 and 31 for the encryption to work properly. To ensure that this is the case, a mod (%) expression is used to return a value greater than or equal to 2 and less than or equal to 31:
(keytext_location % 30) + 2
The result is stored in encrypt_key, which the function then returns.
To use this function in the encrypt_cookie() function, you need to modify this function in three ways:
Remove the encrypt_key argument and declare it as a variable instead.
Set keytext_index to 0, just to be safe.
Set encrypt_key equal to the result of the generate_key() function:
encrypt_key = generate_key()
The modifications to the decrypt_key() function are identical.