Java身份验证安全 [英] Java authentication security
问题描述
我有一个中心管理员在其中创建实例。为了使用这个判断帐户,从另一台计算机的应用程序的法官帐户的应用程序法官实例需要与认证中心管理 。应用程序的用户实例会送东西给管理,谁将会推动其关闭,以评委之一。
I have a central admin instance of an app where judge accounts are created. In order to use this judge account, a judge instance of the app from another computer needs to authenticate with the central admin. A user instance of the app will send something to the admin, who will push it off to one of the judges.
我的问题是我怎么能验证一个判断。如果我简单地发送密码,可以嗅探(因为所有这些实例的需要是在同一网络上)。
My problem is how I can authenticate a judge. If I simply send the password, it can be sniffed (since all of these instances are required to be on the same network).
我不知道,如果使用SSL会有所帮助,但即使是这样,我不能用它(我在这个没有控制)。
I'm not sure if using SSL would help, but even if it does, I can't use it (I have no control over this).
推荐答案
您可以在这里使用类似PGP。所以,你会使用一些公共密钥的东西。这将消除对共密码的需要。
You could use something like pgp here. So you would use some public key stuff. That would eliminate the need for a password altogether.
使用公共密钥加密每个用户都有一个公共密钥和私有密钥。即用一个密钥加密的东西,只能与其它密钥进行解密。所以,你可以把手伸到公共公钥。如果有人想送东西给你,他可以使用您的公钥来加密消息,只有你可以将其解密。
With public key encryption every user has a public key and a private key. Stuff that is encrypted with one key, can only be decrypted with the other key. So you can hand out the public public key. If someone wants to send something to you, he can use your public key to encrypt the message, and only you can decrypt it.
于是给服务器消息会与用户的私钥加密。他发送消息和他的公钥。您可以在服务器端的数据库查询,如果你知道这个公钥。如果你使用该密钥解密消息,你知道,它是由用户发送。
So messages to the server would be encrypted with the users private key. He sends the message and his public key. You can have a database lookup on the server side if you know this public key. and if you can decrypt the message with that key, you know that it is sent by that user.
通过一些工作,你也许可以用它来识别和验证用户。
With some work, you probably could use that to identify and authenticate users.
您只想用评委担保任何新用户和他的公钥,当他们第一次谈论到服务器。所以,你可以建立信任的网站。
You would just use the judges to vouch for any new user and his public key, when they first talk to the server. So you can create a web of trust.
这篇关于Java身份验证安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
