How does the program works?

The encryption algorithm and protocol is similar in concept to that of SSL or HTTPS.

  1. Firstly, the applet and a public key is sent to the browser.
  2. The applet generates a random number (128 bits) that will become the symmetric encryption key for the data transfer. The AES (Rijndael) encryption algorithm is used here. A different number will be generated each time the applet is used (unlike HTTPS that uses the same key in one session).
  3. This symmetric key is then encrypted with the public key using RSA algorithm. The RSA key length is 1024 bits.
  4. The entire chunk is base64 encoded and submitted to the application server via the normal HTTP POST.
  5. The application server does the reverse - decrypts the symmetric key using the private key and then decrypts the data.
  6. Return data to the browser can also be encrypted by the application server using the same symmetric key and decrypted by the applet.
Basically there can two things you want to do -

 

(A) Send Encrypted Data from Browser to Server

  1. Surf out the Encryption Applet.
    Standard stuff. For example, you can put the following in the page where the html form is. 
    <APPLET
   ARCHIVE = "EndApplet.jar"
   CODE = "endtoend.EndtoEnd.class"
   NAME = "e2e"
   HEIGHT = 0
   WIDTH = 0
   ALT = "EndtoEnd Applet">
<PARAM name = "pk" value = "AIAA...5BQ==">
Browser is not java-enabled!
</APPLET>
    The long "pk" param is required and it contains the public key that you have to cut and paste.

  2. Extra hidden field
    Put an extra hidden field in your html form. This field is to contain the encrypted data and there is no need to show the user. An example below. 
    <input type="hidden" name="encdata">;
  3. Javascript to do the work
    Write the javascript to selectively encrypt the input data of the form. For example, I want to encrypt userid and password of my form. The javascript looks like this: 
    function encode(form) {
   document.e2e.update("userid",form.userid.value);
   document.e2e.update("password",form.password.value);
   form.encdata.value = document.e2e.done();
   form.userid.value = "";   // Blank it!
   form.password.value = ""; // You really do not want to send this in clear.
}
  4. Activate the Javascript
    Program the onsubmit to run the javascript. 
    <form onsubmit="javascript: return encode(this);"
     action="endtoend.jsp" method="post">
  5. Decrypt the data at the Application Server
    Make use of the server side program (not the applet) to decode the data. This jar contains just normal java classes - not beans. You have to include this server jar file in the CLASSPATH of your application server. This is application server specific. Example of a jsp code: 
    <%@ page import="endtoend.*" %>
<%
   EndtoEndServer endtoEndServer =
        new EndtoEndServer("/usr/safe/private.key", "password");
   Hashtable hashtable = endtoEndServer.unpack(request.getParameter("encdata"));
   String userid = hashtable.get("userid");
   String password = hashtable.get("password");
%>

 

 (B) Return Encrypted Data from Server to Browser

As mentioned, the random key generated by the applet is used to perform the data encryption and this key can be securely sent to the server by encrypting it using the public key. Thus, the starting point must always be the applet. If the requirement was to just send encrypt data from server to the browser, there is a need to first serve out a "dummy" page to run the applet and sent the encryption key to the server. This dummy page is similar to the one given in section (A) but without any data to update.

  1. Prepare the data at the server side
    Use the update and done methods. The following is an example in jsp. 
    <%@ page import="endtoend.*" %>
<%
   EndtoEndServer endtoEndServer =
        new EndtoEndServer("/usr/safe/private.key", "password");
   // You must unpack the key from the applet first
   Hashtable hashtable = endtoEndServer.unpack(request.getParameter("encdata"));

   endtoEndServer.update("bankaccount","201-8827381-1");
   endtoEndServer.update("balance","$84,572");
%>
  2. Embed the encrypted data
    Put the server side encrypted data to the return page. Javascript is required to decrypt the data using the unpack method in the applet. One easy method is to put it directly into the html javascript code. The get method will extract the required value. The following is an example where the decrypted data are shown in a form. 
    <script language="javascript">
function decode() {
   document.e2e.unpack("<%= endtoEndServer.done() %>");
   document.bankform.bankacc.value = document.e2e.get("bankaccount");
   document.bankform.dollars.value = document.e2e.get("balance");
}
....
<form name="bankform" >
Your Bank Account Number: <input type="text" name="bankacc">
Balance = <input type="text" name="balance">
</form>
That's all there is to it! For more details, refer to the javadoc in the download.