On Wed, Aug 28, 2013 at 7:53 PM, Samantha Atkins <sjatk...@gmail.com> wrote: > We all know about SSL so stop the lectures please. Sometimes you simply > want to reasonably encrypt on client and decrypt on server and for one > reason or another SSL is not an option.
SSL is always an option, you are just not choosing it. Using JS crypto is fine, assuming you do all the appropriate things that SSL does in order to transmit a secure session key to the client. If you don't do that, you might as well use ROT-13 encryption. On Wed, Aug 28, 2013 at 7:51 PM, Samantha Atkins <sjatk...@gmail.com> wrote: > So if I use sjcl.encrypt at browser then how do I do the equivalent of > sjcl.decrypt in python at server side. That is what the original question > was asking as I read it. Since there is no such thing as 'sjcl.encrypt', there is no answer to this. If wanted to use CryptoJS's AES encryption however, you could do something like this on the client (as taken from the linked docs...): <script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/aes.js";></script> <script> var encrypted = CryptoJS.AES.encrypt("JS crypto is daft", "Secret Passphrase"); </script> And then, the purpose of using STANDARD crypto comes clear, you use the py-crypto library to decode from Crypto.Cipher import AES import binascii key = 'Secret Passphrase' ciphertext = binascii.unhexlify(encrypted_string) decobj = AES.new(key, AES.MODE_ECB) plaintext = decobj.decrypt(ciphertext) I've not tested any of this, CryptoJS might not use ECB by default. All of this, of course, does not take in to account my first warning about key exchange. Without effective key exchange, your "secret" passphrase is passed over the internet in the clear, meaning anyone who wants to defeat your encryption needs only monitor that and your encrypted data, and effectively your content is not encrypted at all. Just use SSL. I'm sorry if you feel that advice is unhelpful, it really isn't. See this answer for fuller explanations: http://stackoverflow.com/questions/9833527/client-side-encryption-over-http-with-diffie-hellman-key-exchange-and-aes Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. For more options, visit https://groups.google.com/groups/opt_out.
