Slightly OT: encryption

From: Colin McKinnon (colin.deletethis_at_andthis.mms3.com)
Date: 03/11/05 

Date: Fri, 11 Mar 2005 10:18:24 +0000

Hi all,

I've reached the limits of my knowledge and was wondering if anyone out
there is better informed.

I'm trying to setup a system of secure encryption for exchanges between
browser and server WITHOUT using SSL. I have hashing (MD5) at both ends and
symmetric encryption (TEA). If anybody knows a SECURE asymmetric encryption
algorithm which works with javascript - do let me know.

I have a reasonably secure logon system - server sends challenge and stores
MD5(challenge+password). Browser sends back MD5(challenge+password).

It occurred that if I could store the password at the browser end, I could
use it as the encryption key for future exchanges. But where to store it?

I could put it in a cookie, but that gets sent in the clear with each
request.

If I put it in a secure cookie or a cookie with an obfusticated path it
wouldn't get sent back, but the browser can't read it either!

Is there anywhere I can store a value using javascript which is readable by
javascript but not normally sent back to the server?

Alternatively, is there any information available in Javascript which is not
normally sent back to the server? (if so I can use this to encrypt the
password before storing it in the cookie)?

(I realise that an XSS vulnerability would expose the password, but I'm not
looking to do serious stuff like credit card details).

TIA,

C.