JavaScript Shopping & Crypto - Summary

Why do we need another shopping cart? Here's what this project is about:

• Easy to setup
• Flexible
• Easily integrates with your product line
• Requires little or no CGI scripting
• Can be run from ANY web host
• Secure
• Provides a responsive, comfortable, and understandable shopping experience
• Reduces server load -- no dynamic pages, no encryption overhead

Show me the goods!

• See the cart demo -- doesn't actually transmit the order.
• Generate RSA keys and see how fast it is on your browser.
• Older page of crypto stuff -- but still educational and shows other aspects of the crypto library.
• See the news on the summary page for the project status and some other things.

How do I get it?

When I feel like I have the project stable I'll put it in a .ZIP archive and upload it. Until then, the files from the cart demo are really all you need:

• myshop.htm
• mybuy.htm
• myshop.js
• crypto.js
• crypto2.htm -- optional: use to generate keys, or just use the one here.

How do you do a cart without CGI?

I'm so glad you asked. JavaScript's use of cookies makes tracking simple interactivity, like a shopping cart, easy. What's more, its rudementary math and array handling give enough tools to do relatively secure encryption WITHIN THE BROWSER.

Making a cart which tracks items is quite easy -- there are many interesting JavaScript shopping carts.

Making a cart which can encrypt the order -- that's new.

How does it work?

The mathematics behind RSA public key encryption have been well known for years, and now with RSA's opening of the copyright, we can use them in this type of application. There are many articles documenting the mathematics behind RSA, so I won't repeat those here. I have written simple functions to do arbitrary-precision math (ie math with really big numbers) and functions which use these to securely encrypt orders using the programming language buit into nearly every web browser on the Internet today.

How fast is it? Is it really secure?

See the crypto demo to see how fast it is on your browser, but for most people, encrypting an order with a safe key can be done in 1 or 2 seconds. Decrypting takes a bit longer: 5 to 30 seconds depending on the speed of your computer and how large a key you've chosen.

How secure it is depends on how large a key you use, and what you expect. Many browsers today use 40-bit encryption for their SSL connections, some use 64 bits, and some use 128 bits. In my notation, that's 5 bytes, 8 bytes, and 16 bytes. For the paranoid, they consider anything less that 1024 bits insecure, with 2048 bits preferred. I've found that 5, 6, 7, or 8 byte keys are not unacceptably slow, although 8 byte keys take some time to generate. 128 byte keys would take forever, but would theoretically work.

So, (if you're paranoid) no, it's not really secure, but yes, it is on a par with what you find elsewhere.

Has it been checked?

I intend to have it checked by cryptography experts when I'm done tweeking it. It hasn't yet been verified though. Watch the project news and I'll post when it's verified.