How does jCryption work?

jCryption exchanges a generated “password” encrypted with RSA with the server. This “password” is used for all encryption and decryption.
The main purpose of jCryption is form encrypting … It encrypts on the client with javascript and decrypts on the server with PHP.

Why do you generate the keypair on every request?

Simple answer … security. The public key is sent to the client, the private key is saved in the session. So each keypair is only one time valid and only for the user which has the right server session. If one of these parameters is not fulfilled, the encrypted string will be empty.
And because of the fact, that every keypair is only one time valid, there can’t be any plain/cyphertext/cycling attacks to the dedicated server.
In version 2.0 AES is used for from data encryption which is much faster and secure.

How secure is jCryption?

It is not made to be used in applications with sensible data. I also take no responsibility for the security of your data. It provides a good level of base security so no data that leaves the client will be readable by a human. jCryption offers no way of authentication and is therefore vulnerable against “Men-In-The-Middle-Attacks” which you can only prevent if you use a SSL certificate.

What are your future plans on extending jCryption?

I currently don’t know yet. I first wanted to see if there is a need for such a plugin, but besides that, I am trying to improve performance and security. If you have any ideas what I can do to improve jCryption please contanct me.

What is with file uploads?

Currently jCryption does not support the encryption of uploaded files because I currently don’t know any way of getting access to data of a file with javascript. But I think it would be way too slow to encrypt large files with javascript.

Why should I use jCryption instead of SSL?

In my opinion jCryption is much easier to install and configure. Although I don’t think that jCryption is a replacement for SSL. It could be a nice addition for your contact form or login page to simply make it more secure.

What if the client has disabled javascript?

The form will be sent unencrypted.

What are the requirements?


Fork me on GitHub
Comments (58) Trackbacks (0)
  1. Hey there, I have a client who is using jCryption V1.2 and is moving some back end components from PHP to ASP.Net. I have tried replicating the PHP functionality using RSA without luck.

    Can someone confirm that the algo used in the $.jCryption.encrypt = function(string,keyPair,callback) is plain RSA?

  2. What’s the current interest rate for personal loans? http://community.parents.com/asumouooi/blog/2013/04/04/lolita_kingdom_nude_pics dark lolita models links Unsure about the bro n sis thing, but this is basically the exact perfect kind of fucking for me. doggy. she rubs her pussy, she fingers her own ass, shes wet as hell, and she one fine ass. and shes hot.

  3. Related to jCryption and using RSA may I see the entire required code for encrypting just one html element at the client side (a password), post the encrypted element (password) and decrypt it at the server.

  4. But here jcryption error why ?

    I found an example javascript + php what you think is safe ?

  5. Is it possible to generate the session key on the server rather than client? I know I have a good random number source there, but do not really trust what’s available at the client end…

  6. Hello guys … here are very good examples …

  7. Any alternative to PHP pages?How about JSP?

  8. Setting the reverse would be helpful.
    1 – Server Encrypts
    2 – Sends to Client
    3 – Client Decrypts

  9. I just tried jCryption and like it very much. Thanks a lot for the great work!

    It seems to me that the package include the examples works well in windows but I haven’t got it work on CentOS linux with php 5.1.6 for some reason.

    I did the same installation (directory layout). But looks like it cannot find resource or something like that. Anyone had the same experience, or any php.ini setting need to watchc?


  10. You are doing a wonderful job………sure oneday you will make this a better approach than SSL……………..all the best I needed something like this

    • I do not think this should replace SSL – what the benefit that many are not seeing is that this actually can thwart formgrabbing malware such as Zeus and SpyEye from stealing data if the computer is infected.

  11. This looks like a really solid library, but it would be nice if I could send encrypted traffic to the browser (i.e. have an encrypt function in PHP and a decrypt function in JS). Any chance this might be available in the future? Thanks for all the great work on this project.

  12. This is a great library. Any thoughts about making it open source in a single repository?
    I recently had an issue with split being deprecated with php 5, so I changed the code to use explode and it works great. Very simple fix, see http://drupal.org/node/1033492 for more details.

  13. jCryption is great! Unfortunately it stucks in infinite loops on my XAMPP-setup and my web host when generating keys.

    I’m pretty sure it is this loop which stucks,
    while (!$this->isPrime($num)) {
    $num = bcadd($num, ’2′);
    } (line 412-414)

    I’ve made it so instead that I generate a bunch of keys once a day and only use them. It’s faster, works better, but is less secure, but still secure enough for me.

  14. GenerateKeypair is slow on my server, i’ts possible to generate keys using function openssl_pkey_new?

  15. AMAZING job you’ve done! just AMAZING. I’ve tried several (yup, several… so several) libraries, codes, programs, so on, and NOTHING can even compare to the flexibility and portability (and even the speed) of your work. Congratulations to you and to everyone who worked/contributed on the project.

    And I’ll be looking forward for new versions, updates and functionalities!

  16. Dear Internet:
    The world needs more active attackers.
    Nobody is paying attention to real security any more.
    Go to your local cafes and http://airpwn.sourceforge.net/Airpwn.html!

  17. I have been looking for something like jCryption literally for years. Thank you!

  18. Make sure you don’t have an ID associated with your submit button, seems to blow it up.

  19. Hello,
    Nice work you are doing on your website.
    I’m looking for a library where I can encrypt in javascript and decrypt on the server side using c#.
    Is it possible to achieve this with your library?

  20. uploaded everything on the server and tried to send me an email. but the status circle runs endless and will not send the form. the end of my “main.php” looks like this:

    • looks like cant post php code here. so again:


      php echo “decrypted POST”; mail(“ralph.haering@gmail.com”,”Subject”, print_r($result,true));

    • “uploades everything” means, uploaded the original jCryption folder. the main.php I’ve changes is the one in Example2

  21. Nice jquery plugin. I actually wrote something similar on the php side and then found this. I was using GMP to handle the big numbers though… I think mine is quicker on on key generations than your BC math. *shrugs*

    Something else I might suggest is to generate a hash lookup table to cut back on key generation time but it might not be something you want to do. Looks like the getPrime(…) function picks a random number and finds the next prime… I noticed you choose the Fermat prime for public key E.

    What I am wondering is if you could pick out 100 keys a day and hash them into storage, then you could have a lookup table with little complexity and not run the risk of over using the same keys. After a month’s time you would have plenty of keys (more to pick randomly from).

    It seems that when I cranked the key size up to 1024 it took a very long time to do anything and sometimes it would not return a result (even after 5 minutes). So I may re-write the server side stuff and keep the client end.

    All in all, neat little plugin – let me know if you’re interested in the hashing idea I mentioned above, I may go ahead and develop it so that you can cronjob keys to randomly pass out (if you’re worried about over usage we can expire keys as well if you are looking for a one-time keypad approach).

    I am using this in a system where content is not sensitive but I need to know who is logged in and keep the password secret from browser to ldap server. The server does not have SSL support (or a certificate that is trusted). Works pretty good for me.

  22. Hi,
    I got it working with Java but only problem I have is when I decrypt variable I see two characters appended to my value.
    Is this a bug, have anyone seen this problem before.
    Please reply.

  23. This library is just what I was looking for – very simple to integrate. Thanks!

  24. Is there a way to use this with multiple forms on a page? For example, I have a page for a site’s user administration. It lists all the users and each user’s info in a different form. How do I get it to encrypt just the form I need? Here’s some code I’ve used that did not work:

    function submitForm(formID)
    var form = document.getElementById(formID);
    formID = “#” + formID;


    On each form I have a button that calls this function, but it does not work. I’ve also tried putting the document.ready(…) part in the function, too. Neither work. Can you help me get this working, please?

    • Ok, I got it. It works, so I guess it’s right. Luckily, I’m using PHP to create the HTML for my page. I loop through the returned users and write out a line of javascript for each form that will be used to edit the users. Here’s the javascript:

      $(“#userForm0″).jCryption( {getKeysURL:”./utilities/getKey.php”} );
      $(“#userForm1″).jCryption( {getKeysURL:”./utilities/getKey.php”} );
      $(“#addUserForm”).jCryption( {getKeysURL:”./utilities/getKey.php”} );

      If that’s not the right way to do it, let me know.

      • I use JavaScript to check all forms ID names to see if it has the word “encrypt” at the end then it loops through initialising them.

      • Is that the only code you’re using? Are you doing anything special in your forms? I have a similar situation and haven’t been able to get it to work. I have a sidebar that contains a login (user/pass) and the main content area may contain something else (e.g., registration). For testing I’ve just created a page with two simple forms that work when I change the the function to point to either one or the other but I have been unable to get the code to dynamically figure out which form has been submitted.

  25. Is it possible to encrypt and decrypt using PHP so that I can encrypt the GET data in links?
    For example:

  26. Hi there.
    I’ve tried it and works great, with exception of special characters (like ç, Ç, é, É, ã, Ã, », «, etc..)

    Is there any way to solve this?

    • Are you sure you set the charset of the page to uft-8 ?

      • Hi again.
        In fact, I’m using exactly your example1, without any change, over my Apache install. Your files (index.html and main.php) already set the meta headers as charset as UTF-8. Do I need to set it any elsewhere?
        I’ve tried with Firefox and IE8, the result is the same:
        E.g.: instead of the char “é”, i’m getting “é”

        Thanks in advance.

  27. I don’t see where the question from KC was answered about submitting the form to an email address. How is this done. I don’t see a way in the main.php file. Any help would be much appreciated.

    • There is no way in HTML to send a form directly to an email address you have to send an email from the server.
      That means you have to use the PHP function “mail” in the main.php to send an email.

      Example: (at the end of main.php)
      echo “decrypted POST”;

      This will send an email with the complete form data to “myEmail@google.com”.

      • uploaded everything on the server and tried to send me an email. but the status circle runs endless and will not send the form. the end of my “main.php” looks like this:


  28. This is a little hard to explain. Is there anyway of encrypting links or could you develop my idea? This would be excellent in protecting my GET information in my links which I use in my LEMsn (Localised Electronic-Messaging Systems Network) e.g. href=”mail/?read&mes_id=935632″.

    Deeper Example (not actual use):
    Unencrypted: Login
    Encrypted: Login

    “jCryption=27a786be660d7e104341e…” = the encrypted data/link printed in “href” using PHP (so the actual link wont be displayed in the source of the page)
    then “login.php” would decrypt $_GET['jCryption'] and login in user.

    No JavaScript and no forms. The encrypting code would have to be re-written in PHP.

    I could possibly do this myself but because my proficiency in JavaScript is not high I lack the ability to identify the encrypting function(s). Maybe you could send me a JavaScript function that will encrypt a string?

    Thanks for you time.

  29. I’m a real newbie. How do you send the form info to an email address?

  30. Lovely script you have there! Took a little time to figure out how it was connected (mainly the ajax part calling main.php). I used to have a users password sha1 hashed client side, before sending it to the server, but since i needed to get an ntlm for some users too, and I then had to send the plain text password to the server, I found this sweet script. However it will be used in conjunction with SSL in the end anyway (ntlm hash needed for local lan-party where we uses SSL for intranet website)
    If there was something that would have made it easyer for me, it might have been joining the files together, so one would not need to spend too many hours figuring it out (I know, newbie).

  31. In future versions jCryption allow bidirectional comunication between client-server?

    • yes … I will soon release a small update with some security updates …
      After that there will be a new release with some new features … bidirectional communication is one of them …

  32. If you’re not guarding against man-in-the-middle attacks, then what security are you offering, exactly? Do you not realize that any security system is only as strong as its weakest point?

    The whole thing seems pointless.

    • You don’t have to use jCryption if you think it make no sense at all.
      When someone is between you and “the internet” you probably will have bigger problems than protecting your form data.
      jCryption protects form data against sniffers, in an open wlan for example.
      I think it’s much easier just reading the form data than encrypting a RSA encrypted text.
      And like I wrote several times before, if you want 100% security use SSL and it’s in the websites owner opinion if jCryption is enough or not.

  33. Despite the MITM attack, this librairy add a severe layer of security compared to plain text password.

    It’s not that hard to listen to an internet connection (unprotected wifi for example), but manipulating data while being transfered is much more complicated.

    So … thanks a lot for your Daniel ;-)

  34. This system vulnerable to man-in-the-middle attacks. An attacker can can return a spoofed result without the javascript encryption part and the user would never know anything is wrong.

    • That’s true it is vulnerable to MITM attacks, but I mentioned that jCryption at it’s current state offers no way of authentication and that it is no replacement for SSL. jCryption should be an easy to install plugin which offers a base level of security.

Leave a comment

You must be logged in to post a comment.

No trackbacks yet.