Client Side Encryption Library

2
votes

I'm writing a communication website application. For security, the application encrypts passwords and messages before storing the information in a database. In its current state, messages and passwords are sent from client (React) to server (Node.js), where they are encrypted by bcrypt (server-side). When stored messages are read from the database by the server and sent to the client, they are decrypted by the server pre-transmission.

So, I have a few questions.

  1. What is the risk factor in having server-client communication where the exchange of information between them is never encrypted.

  2. Should I bother encrypting the information.

  3. If I should bother encrypting the information on the client before transmission, what is the best client-side encryption library to do so (in a React context, if that makes a difference).

  4. Also, how would I go about sending encrypted server information to the client, which decrypts it with a different technology than bcrypt; or, should I use entirely client-side encryption, while the server just reads and writes the encrypted information with no knowledge of its contents.

Any help would be appreciated! Thank you in advance.

2
node.jsreactjsencryptionserverbcrypt
How are you doing server-client communication?Talha Junaid
Usernames, passwords, general user information, are being communicated through axios. Messages through socket.io.Drake Izatt
Are you using HTTPS or HTTP for communicating?Janith
Axios uses HTTP.Drake Izatt

2 Answers

3
votes

Talha already answered you question, though I will just provide some details

What is the risk factor in having server-client communication where the exchange of information between them is never encrypted.

In theory every computer on the network where data pass could read the data. Reality is even worse - currently implemented WPA2 secured wifi transmission could be eavesdropped.

Should I bother encrypting the information.

Lets rephrase your question: should I transmit information encrypted? Yes, there's no reason not to (except if you are lazy learning how to do it). Using HTTPS will ensure confidentiality and integrity (that nobody messes with your data and you speak the right server). HTTPS became available today. There are even free certificate authority services (e.g. letsencrypt.org).

When storing passwords, the best option is using slow cryptographic hashes (yes, bcrypt will do the job). The hashing usually takes place on the server side.

Should I encrypt information on client side? Mostly it's not the best idea. The thing is - are you able to manage the encryption keys reasonably? Ensure data integrity? Ensure server's identity? Limit options for side-channel attacks? TLS does it all for you. You will be reinventing a stone wheel while there are already nice inflatable rubber tyres.

If I should bother encrypting the information on the client before transmission, what is the best client-side encryption library to do so (in a React context, if that makes a difference).

I used CryptoJS library for JS encryption (I used it on server side, but I believe it doesn't matter).

Also, how would I go about sending encrypted server information to the client, which decrypts it with a different technology than bcrypt; or, should I use entirely client-side encryption, while the server just reads and writes the encrypted information with no knowledge of its contents.

Just - use TLS (HTTPS). At the certain point you need to trust your server. Indeed you still should secure your data (such as hasing the passwords)

You can build your own encrypted communication protocol (nobody can stop you), but it will cost you a lot of time and its security will be still very questionable (politely said).

2
votes

While communication one should always use the secure method of communication. E.g HTTPS. And while dealing with sockets you can use web socket secure (WSS) in which connection is encrypted through TLS/SSL.

If you use HTTPS and WSS your communication is already encrypted using SSL so you should not bother encrypting data on client side unless it is absolutely necessary.

bcrypt is a password hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher. Hashing is not reversible. Once you have created a hash you can't decrypt it. If you need to decrypt you can use AES256. For more information about AES, you can start from WIKIPEDIA

bcrypt is an algorithm and can be implemented in any language moreover bcrypt (npm package) is an implementation of the algorithm.