问题描述

我必须通过一个未加密的频道（HTTP，而不是HTTPS）通过JavaScript AJAX Call传输一些敏感信息。

I have to transfer some sensitive information over a JavaScript AJAX Call, over an unencrypted channel (HTTP, not HTTPS).

我想加密数据但是JavaScript方面的加密意味着我公开了密钥，这使得对称加密只是通过隐晦的安全性进行的。

I'd like to encrypt the data, but encryption on the JavaScript side means I expose the key, which makes symmetric encryption only an exercise in security by obscurity.

是否有JavaScript的非对称加密？这样，我可以保持服务器解密密钥的秘密。 （我不担心Server> JavaScript消息的安全性，只关心某个JavaScript> Server消息的安全性）

Is there any asymmetric encryption for JavaScript? That way, I can keep the Server decryption key secret. (I'm not worried about the security of Server > JavaScript messages, only about the security of a certain JavaScript > Server message)

推荐答案

你需要加密的原因可能是为了防止中间人。有些情况下，攻击者能够嗅探流量而无法改变它。这种解决方案可以防范这种威胁，但是它不会对能够修改流量的中间人提供任何保护。

The reason why you need encryption at all is probably to protect against a man-in-the-middle. There are scenarios where an attacker is able to sniff at the traffic without being able to change it. This solution would protect against that threat, but it would provide no protection at all against a man-in-the-middle that is able to modify the traffic.

如果攻击者可以更改流量，那么他也可以更改加密的脚本。最简单的攻击是从脚本中完全删除加密。如果你没有https，而中间人是可能的（几乎每个场景都是这样），那么你根本就没有任何对HTML或者javascript的控制。用户。攻击者可能会完全重写您的HTML代码和JavaScript，禁止加密，在表单中创建新的表单域.Https是Web通道中安全通信的先决条件。

If the attacker can change the traffic, then he will also be able to change the script that does the encryption. The easiest attack would be to just remove the encryption completely from the script. If you don't have https, and a man-in-the-middle is possible (which is the case in almost every scenario) then you don't have any control at all over the html or javascript that is presented to the end user. The attacker may rewrite your html code and javascript completely, disablign encryption, creating new form fields in your form etc. Https is a prerequisite for secure communication in the web-channel.

这篇关于有什么不对称加密选项的JavaScript？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！