Research website of Vyacheslav Gorchilin
All articles/The Internet
Another implementation of the Hash-Mask algorithm to protect the transmitted data to the server
Sometimes there is a need for more data encryption on the client side for subsequent transmission to the server. For example, the admin is an administration panel of some of the service from which it sends commands. Sometimes it is not enough to protect the HTTPS Protocol, especially since there are already a lot of information about holes in its implementation. Not to mention the usual HTTP.

So here's a problem: to increase the level of security of transmitted data to the server, and the defense should be in the client's browser. This means that the listening to the communication channels, the attack on the HTTPS connection and other SQL injection You will be scary even when transmitting data over insecure protocols.

For such problems was developed by a symmetric Hash-Mask algorithm. Its distinctive features: simplicity and high of crypto protection, and the possibility of protection by JavaScript in the client browser. Code is simple and open, which allows full user control over the encryption/decryption of data. The encryption process occurs in off-line mode, which further increases defense.

This mechanism is implemented is very simple: on the client side — by connecting three additional scripts and server — dopolnitelno module (developed so far for Perl). In fact, all of these modules and scripts add-ons are already working on the scheme.

Below is an example of real work protection

After filling the fields and clicking on the "Send" button, the following happens: the script prompts you to enter the code word and remembers it (the next time it requests to enter is not necessary); retrieves data from all the form fields and encodes them; the fields themselves — nulls; creates a new field named "Q" and with a value equal to encoded string sends to the server is this field.

On the server, then the decoding module decodes the data field "Q" and adds them to the standard fields of the CGI module, which is already possible to work as usual. Poluchaetsya this module like this:

use Secure;

The data is taken from the variable $Q. for Example, so we get the value of the field "name"=> $Q->param("name"). The variable $Q is not necessary to create: it creates a module.

Try to fill in the fields will then be prompted to enter a codeword — enter Masha and receive data processed on the server page. Note query string sent to the server.


The first parameter:

The second parameter: