TLS using JS and Python — A native implementation of HTTPS in Client-Server ArchitectureAnukai SolutionsBlockedUnblockFollowFollowingMay 14A Brief Overview“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.
”HTTPS allows us to communicate securely over an insecure channel, where it is easy for someone to listen to all network traffic.
The communications via HTTPS are secure because they are encrypted.
Using HTTPS, the computers agree on a “code” (or a secret) between them, and then they scramble the messages using that “code” so that no one in between can read them.
This keeps your information safe from hackers.
They use the “code” on a Secure Sockets Layer (SSL), sometimes called Transport Layer Security (TLS) to send the information back and forth.
SSL is a standard security technology for establishing an encrypted link between a server and a client — typically a web server (website) and a browser, or a mail server and a mail client (e.
g.
, Outlook), to allow sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely.
Normally, data sent between browsers and web servers is sent in plain text — leaving you vulnerable to eavesdropping.
If an attacker is able to intercept all data being sent between a browser and a web server, they can see and use that information.
It works on the principle of asymmetric encryption (or cryptography).
SSL uses certificates, which are based on a key pair: a public and a private key.
These keys work together to establish an encrypted connection.
The certificate also contains what is called the “subject,” which is the identity of the certificate/website owner.
One such algorithm involving asymmetric encryption is RSA (Rivest-Shamir-Adleman).
RSA has become the most widely used asymmetric algorithm: It provides a method to assure the confidentiality, integrity, authenticity, and non-repudiation of electronic communications and data storage.
Many protocols like Secure Shell, OpenPGP, S/MIME, and SSL/TLS rely on RSA for encryption and digital signature functions.
Now let’s hop on to the Practical…Pre-Requisites:We will be demonstrating use of RSA asymmetric encryption for the following purposes:to understand the working of HTTPS…to secretly transfer information from Web browser to Server…to view this information for later use…to safeguard this information from eavesdropping or MITM.
Setting up the Workspace:At Client side, we we will creating a HTML form along with Java Script to send data to ServerAt Server side, we will use Flask to capture request made by client.
Make sure flask is setup on your machine along with flask-cors.
pip install -U flask Flask-CorsClone this repository in your machine and open it:https://github.
com/nitish-007/encryptionDemoDemo 1 — Sending request without encryption:Get inside directory encryptionDemo/wihout.
Using your favourite terminal run:python api.
py3.
Open index.
html in your desired browser along with Developer Console.
4.
Open Network Tab in Developer Console.
5.
Login using username = “admin” and password = “password”.
6.
Under Network Tab, select login and see its Request Payload.
Payload generated by client is in plain text which makes it vulnerable to misuse.
Payload is visible as plain textDemo 2 — Sending request with encryption:Get inside directory encryptionDemo/with.
Using your favourite terminal run:pip install -U pycryptopython api-rsa.
py3.
Open index.
html in your desired browser along with Developer Console.
4.
Open Network Tab in Developer Console.
5.
Login using username = “admin” and password = “password”.
6.
Under Network Tab, select login and see its Request Payload.
Payload generated by client is now encrypted is not in human readable format.
Payload is EncryptedDeep dive into Code:Flow of Data from Client to ServerGenerating Private/Public key pair using PyCrypto:enccryptionDemo/with/gen_rsa_keys.
pyThis will generate two keys in keys directory:private.
pem — Used by Server for Decryptionpublic.
pem — Used by Client for EncryptionModify public.
pem as given below and rename it into public.
js:var pem_file = `—–BEGIN PUBLIC KEY—–key data—–END PUBLIC KEY—–`Client Side Code — index.
html:At Client Side, we will use Forge.
js to perform RSA Encryption on our payload.
Import forge.
js into your HTML document via CDN:<script src="https://cdn.
jsdelivr.
net/npm/node-forge@0.
7.
0/dist/forge.
min.
js"></script>Import Public Key (public.
js):<script src=".
/keys/public.
js"></script>Initialise forge using public key (variable ‘pem_file’ from public.
js) and apply encryption on payload — reqBody:Encrypting reqBody using RSA-OAEPSend encrypted payload — base64 to Flask backend using Fetch API POST request:Sending Data to ServerServer Side Code — api-rsa.
py:At Server Side, we will use Pycrypto module in our flask to Decrypt the payload received.
Import the required modules and verify them:Import all these modulesCreate a function which accepts encrypted string and decrypts it using private key — private.
pem:Decryption FunctionDecrypted payload is used by flask to authenticate credentials entered by user.
And Voila….
We have successfully encrypted our data at client-side and decrypted it on the server-side, in similar way, how https work over the networkAuthors :Rohan Sharma — Frontend Developer — Cleartrip.
com | LinkedInView Rohan Sharma’s profile on LinkedIn, the world’s largest professional community.
Rohan has 2 jobs listed on their…in.
linkedin.
comNitish Goyal — Cloud Operations Intern — VMware | LinkedInJoin LinkedIn Experienced in Cloud Computing and Cyber Security.
Working as Cloud Operations Intern in VMware.
Cloud…in.
linkedin.
com.. More details