-1

I'm thinking about man-in-the-middle attacks during a website login, and started wondering about reversible encryption.

What I'm imagining is an encryption that takes input A and creates an encrypted result, Ax. Like hashing, if you have Ax, you can't mathematically figure out A. But unlike hashing, there is a key (or salt or whatever). If you have Ax and the key, then you can use it to produce A.

Does something like that exist?

(P.S., I know the correct way to send passwords over the internet is in HTTPS, which is why I came here instead of security.SE.)

brentonstrine
  • 123
  • 1

1 Answers1

1

As bmm6o wrote in the comments, all encryption is meant to be reversible only when you know the correct key.

  • In the case of symmetric encryption it's the secret key which was used to encrypt the message.
  • In the case of asymmetric encryption it's the private key that corresponds to the public key which was used to encrypt the message.

Hashing is not encryption. It is one way and can only be used to verify that two things are the same – e.g. the original password and the current password guess.

(Whenever some company gets its password database stolen they inevitably say their passwords were "encrypted" presumably because they think their customers don't know what "hashing" is, but confusing those who know better. Encryption is not a secure way to store passwords, because if the attacker finds the key – which usually has to be on the same server – they can decrypt the whole database.)

In the case of plaintext password authentication, like a website login, you need to use encryption if you don't want eavesdroppers to see the password. Either symmetric or asymmetric encryption would do the trick. To prevent MitM attacks, you also need a secure key exchange.

SSL/TLS are meant to handle all that for you.

otus
  • 32,132
  • 5
  • 70
  • 165