I would like to know if jCryption + Challenge Response Authentication Mechanism are a good alternative to SSL.
I know that SSL is very much better, but I'm making a project where the owner don't want to buy a SSL certificate and, I would like to find a solution to give the best security approach that could be acquired without the use of SSL.
Any ideas?
No, it's not.
Just off the top of my head, I can think of many reasons: HTTP headers are still unencrypted, the key exchange is vulnerable to man-in-the-middle attacks, and you're putting a high degree of trust in client-side code.
Just use a free SSL certificate from Startcom.
In the info section of jCryption:
jCryption at it’s current state is no replacement for SSL, because there is no authentication, but the main goal of jCryption should be a very easy and fast to install plugin which offers a base level of security.
It's quite self-explanatory. This plugin is not a replacement for SSL in any way, nor is it meant to be. The goal is not high-tech security.
If you want security that can be trusted in any way, just buy an SSL certificate. Or make your own, if you wish.
You can try using the Challenging Authentication-Agreement Protocol (CAAP). I suggest for the algorithms you use RSA and Serpent in CTR mode with a HMAC-SHA-512 authentication code appended to each message. This can be implemented securely with minimal knowledge. Although a nicely configured SSL system would probably be even easier and safer.
You can always start your own certificate authority internal to your organization if this is not a public facing server. That way SSL certificates will not cost you an arm and a leg.
jCryption intends to only offer a secondary protection to your sensitive data. SSL is always your primary encryption and protection mechanism.
As most websites are completely dependent on SSL certificate for protection, new ways are developed to hack or steal certificates. In an event that you certificate is stolen, you are exposed to man in the middle attack. And this is where jCryption comes into play. The hacker still cannot have meaningful access to your sensitive data if you have a secondary protection(kind of similar to 2-factor authentication).
Hope this helps.
来源:https://stackoverflow.com/questions/8235166/jcryption-cram-are-a-good-alternative-to-ssl