Protecting Private Information on a Public Web Page

One of the stickier problems with the Web is that while you would like to give everyone access to your data, for some data you want to only give access to a single individual.

With the current protocols, the designed in mechanism for protecting data is the HTTP authentication mechanism. When you access a site you type in your user name and password and the web site returns your page with your data. Unfortunately if there are any proxy servers, especially any caching proxy servers, between you and your web page then there are copies of your private data sprinkled across the Web.

Java can fix this in a unique way, it can do this by sending both the data, and a program for displaying the data on a single web page. Then when asked, the program (applet) can display the data for the user. This web page has an example of such an applet.

Mechanisms and Protocol

The mechanism for transferring data and the applet in the web page is to encode both in the same HTML document. It is obvious by now that you encode the presence of an applet using the <APPLET ...> HTML tag. But how do you encode the data? One way that is gaining in popularity (JavaScript uses it for example) is to encode your data in the form of HTML "comments". On this page we have encoded a message in a comment that looks like this:
<!-- CipherText : account-summary
342E38247A2A3156525441055B4744414C503E2535253B5450143D263721
2724773D3D3921276F045A5B445D5B5C024959562B31357B3A3D224F5052
...
5C417C65A0
-->
The applet TextWidget on this page re-reads the page from the server and searches it for this special comment. When it finds it, it decodes the hex encoded data into binary data and waits for a key to unlock the data.

The Password applet on the page simply waits for the user to type some characters into it and a <CR>. When it sees the return character it sends the text (unmodified) to the text widget that then uses it to try to decode the data it is holding. If the data decodes successfully (there is a checksum embedded in it). Then the text widget displays the data, otherwise it remains silent.

It is important to note that while the password is sent "in the clear" to the text widget applet, it does so only in the context of the memory space of this web page, the password has not been sent over the network or exposed in any way.

The Example Applets

These are the example applets, in the small box just below this paragraph, click on the box and type some characters into it. You will know your characters are being read because '*' characters will appear. After typing a few press enter.




Now you will notice that nothing happened in the text box. Now clear the password by typing control-U (control plus U) or by pressing backspace several times to erase all of the '*' characters and type in vote4it, just like that. In lower case and the total of seven characters.

Now press enter and watch the box below. Voila' the encrypted text appears as clear text! The really useful thing is that even though this page may be cached on servers all over the net, only a person who knows the right password to type to the password applet will be able to read the data. (actually this text is quite susceptible to cryptanalysis however if you were to use DES-3 as the encryption engine that would not be the case.)

The program to generate the cipher text is called: GenerateCipherText.java.


This text box displays the decrypted text when the correct password is typed.