安全的方法来存储可解密的密码 [英] Safe way to store decryptable passwords
问题描述
我正在用PHP开发一个应用程序,为了避免将来将用户数据库切换到其他系统时出现问题,要求必须能够解密密码.考虑到不可能修改此未来系统的密码方法,并且我需要纯文本密码才能生成密码.
I'm making an application in PHP and there is a requirement that it must be possible to decrypt the passwords in order to avoid problems in the future with switching user database to different system. Consider that it's not possible to modify this future system's password method and I need plain text passwords in order to have the passwords generated.
计划是使用存储在服务器上的公共密钥来加密用户密码.通过加密输入并比较结果来完成身份验证.没有解密完成.能够解密的私钥被存储在异地,以便以后使用.
The plan is to encrypt the user's password with a public key that is stored on the server. Authentication is done by encrypting the input and comparing the results. There is NO decryption done. The private key capable of the decryption is stored off-site for later usage.
您会建议使用哪种加密/解密算法?当您认为攻击者无法使用私钥时,加密的密码是否仍然像哈希(MD5/SHA1)一样安全?
What encryption/decryption algorithm would you suggest? Are the encrypted passwords still as safe as hashing (MD5/SHA1) when you consider the private key is not available to the attacker?
推荐答案
我将重新描述Jammer的方法-
I'll rephrase Jammer's approach -
- 生成公用/专用密钥对.在您的Web服务器上对公共密钥进行硬编码.将私钥存储在Web服务器/数据库/任何开发人员都无法访问的物理银行储物柜中.
- 用户注册时,请使用公共密钥对密码+盐进行加密.此步骤与使用哈希算法相同.将加密的密码+ salt存储在数据库中.
- 要验证密码时,请再次对其进行加密,然后将其与数据库中存储的值进行比较.
如果攻击者获得了数据库,则他将无法解密密码,因为他没有私钥.他无法获得私钥,因为它位于他无法控制的银行金库中.由于盐的关系,两个相同的密码仍将以不同的方式存储在数据库中.
If an attacker gets the database, he can't decrypt the passwords because he doesn't have the private key. He cannot get the private key because it is in a bank vault outside his reach. Two identical passwords will still be stored differently in the database because of the salt.
我不建议使用上述方法,因为将来任何时候有人都可能滥用私钥并获得所有密码的访问权限.
I don't recommend using the above approach because at any point of time in the future someone could abuse the private key and get access to all passwords.
但是,如果您保证私钥将始终保持私密,那么我看不到技术上的缺陷.
But if you guarantee that the private key will always remain private, then I don't see a technical flaw.
我当然是错的.
这篇关于安全的方法来存储可解密的密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
