I would like to know if jCryption + Challenge Response Authentication Mechanism are a good alternative to SSL.
I know that SSL is very much better, but I'm making a project where the owner don't want to buy a SSL certificate and, I would like to find a solution to give the best security approach that could be acquired without the use of SSL.
Any ideas?
No, it's not.
Just off the top of my head, I can think of many reasons: HTTP headers are still unencrypted, the key exchange is vulnerable to man-in-the-middle attacks, and you're putting a high degree of trust in client-side code.
Just use a free SSL certificate from Startcom.