GPL JavaScript Public Key Encryption Demo

JAVAScript Public Key Encryption Demo

Here's everything you need to do secure, public key, browser-based transactions. The code works seemlessly with the shopping cart system and is about as optimized as I can make it. I may work to do something fancy with generating random numbers with higher entropy, or adding a passphrase to protect the private key.

First you need to generate a key pair. (Actually, it's four numbers: p, q, d, and e: p * q and e make the "public key" and p, q, and d make the "private key.") This is the slowest part. Pick how large a key you want. Larger keys are more secure, but take longer to generate, and somewhat longer to use (especially decrypting the orders). 512 bit key modulos (32 byte keys, ie p and q are 256 bits each) are still considered somewhat secure. My browser took about 3 minutes to generate a key of this size on my p2-450. Try a smaller one first, like 8 bytes and square that time twice to see how long it might take for you.

Encrypting the orders takes very little time, maybe a second or two, but those decrypting will notice a definate lag (7 seconds for me).

Note that many browsers require you to NOT cancel the script after it is taking a while to generate the keys. I've tested this on InternetExplorer 5 (win). If you find it works/doesn't work with another browser, let me know. I've been told that Netscape is much slower than Microsoft for this type of thing.

Zed's Mods to this: So, I'm using persist.js to store the key you initially generate into the available private store in your brower. Browsers have some forms of storage other than cookies, and persist.js makes this possible to use on most of them. What you do is put in a chunk of randomness from random.org and hit the GenerateKey button. Now you've got yourself a private/public key combo stored to your browser. Alright, close this window and come back and the browser will remember it, without any intervention from any software on my server. What's that good for? Just wait and see my friend.

To make a new key, simply kit the RemoveKey button, make sure some randomness is in the randomness box, and hit GenerateKey again. You'll get a new one and it'll be stored for you again. Try out an encryption, copy the encrypted text, close the browser, come back and you'll be able to decrypt it.

Random seed:
Random.org will provide us with a random seed by clicking here. Ctrl-a and Ctrl-c to copy the text, then paste it above.

key bytes:

prime factor p: prime factor q:
(Note: these are used to build your key values.)
Public Modulo (p*q):
Private exponent (d):
Public exponent (e):
text: your secret text goes here
Decrypting takes seconds
This took seconds

How to use these:

This is free software. I make absolutely NO WARRANTY whatsoever that this software does anything. See the GPL for details.

Generate a key pair. For example, when I did I got:

p: 40632295,2191 (private)
q: 122927507,2595 (private)
d: 119141457,185046352,2676254 (private)
p*q: 148299941,57683965,5687041 (public)
e: 17 (public)

Note: this example is trivially insecure

Put a copy of crypto.js on your hard drive and on the server. Then add the following to your public script on your server:
<script> function encrypt() { document.form.text.value=rsaEncode([17], [148299941,57683965,5687041],document.form.text.value) } </script>

And put the following in your private script (probably on your local hard disk -- not on the internet -- if your private key is found this whole thing is useless.)
<script> function decrypt() { // key = [ [d], [p], [q] ]; var key=[[119141457,185046352,2676254],[40632295,2191],[122927507,2595]]; document.form.text.value=rsaDecode(key, document.form.text.value); } </script>

Ok, so you might want to do something more interesting than just put the data into document.form.text.value (this assumes you have a <form name="form"> in your document, by the way).

Enjoy!

John

Change log

7/12/02	I found a bug in the b2t function (crypto.js) which made odd key sizes fail. It's fixed I also changed the crypto.js rc4 to be more secure (especially with short keys) and to be compatible with the decryptor.py python script. Encryptions made with this version ARE NOT COMPATIBLE with encryptions made the old way.
4/25/01	I just found out about random.org and changed the seed function to take advantage of it.
3/19/01	Just for kicks I thought I'd try to generate a 960 bit (60 byte) key pair. On my p2-450 it took slightly more than 10 minutes to generate the keys, and decryption took 33 seconds. I'm happy.
3/19/01	added the entropy pool to the random number generator. This only slowed key generation by < 10%, so I think it's worth keeping.
3/11/01	replaced decode's mod-exp call with optimized Chinese Remainder Therom version; decodes are roughly 2x faster. NOTE: this means calling interface for rsaDecode is changed.
3/10/01	replaced general slow radix function with simple optimized versions for b2t, t2b, textToBase64 and base64ToText; this greately accelerated encrypting longer strings
3/10/01	rewrote session key generation (again)
1/25/01	concluding massive rewrite including Maurer's provable primes and Barrett's modular reduction; increased speed by 10 - 100 times
1/3/01	added sieve to prime number locator -- increasing speed lots!