建立了安全注册和放JavaScript的解决方案;无SSL认证 [英] Established javascript solution for secure registration & authentication without SSL
问题描述
是否有安全的用户注册和认证SSL没有任何解决方案?
Is there any solution for secure user registration and authentication without SSL?
-
通过安全的我的意思的安全从被动窃听,不是从的人在这方面的中间人(我知道,只有签名证书的SSL会达到这个程度的安全性)。
With "secure" I mean safe from passive eavesdropping, not from man-in-the-middle (I'm aware that only SSL with signed certificate will reach this degree of security).
登记(密码设置,即交换pre-共享密钥)必须保证也没有SSL(这将是我想最难的部分)。
The registration (password setup, i.e. exchanging of pre-shared keys) must be also secured without SSL (this will be the hardest part I guess).
我preFER 建立行之有效的解决方案。如果可能的话,我不希望推倒重来,弥补我自己的密码协议。
I prefer established and well tested solution. If possible, I don't want to reinvent the wheel and make up my own cryptographic protocols.
先谢谢了。
推荐答案
有关记录中,你可以尝试 SRP
For logging in you could try SRP from clipperz:
- 我不知道他们使用的随机数生成器是多么强大。你可能会想尝试使用加密API 变得更加强壮值。我不知道如何可以得到在JavaScript安全的种子值,而无需使用加密API。
- I'm not sure how strong the random number generator they use is. You might want to try and use the Crypto API to get stronger values. I'm not sure how you can get secure seed values in javascript without using Crypto API.
有关服务器发送初始密码,你可以使用公共密钥加密。因此,服务器向客户端发送其公钥(按无MITM假设OK)和客户端加密注册时,整个注册请求。 Cipperz对公共密钥加密,但在一个非常原始形式的支持。通常,您使用公共密钥加密对随机生成的对称密钥,并用对称密钥加密的有效载荷。你必须要与填充 /等非常小心,以公共加密正确安全。我不知道JavaScript的强大的公共密钥加密库。
For sending initial password to server you could use public key encryption. So the server sends the client its public key (ok under the no mitm assumption) and the client encrypts the whole registration request when registering. Cipperz has support for public key encryption but in a very raw form. Often you use public key encryption to encrypt a randomly generated symmetric key and use the symmetric key to encrypt the payload. You have to be quite careful with padding/etc to make public encryption properly secure. I don't know of any robust public key crypto libraries for javascript.
您可能想看看 jsbn 以公共密钥加密,因为它看起来不正确填充。虽然,我怀疑它不安全的随机数生成受到影响。这是使用加密API或使用户一鼓作气键盘产生一些熵是个好主意。从rng.js段
You may want to check out jsbn for public key encryption because it looks like it does padding correctly. Though, I suspect it suffers from insecure random number generation. It would be a good idea to use Crypto API or make the user bang the keyboard to generate some entropy. Snippet from rng.js
// For best results, put code like
// <body onClick='rng_seed_time();' onKeyPress='rng_seed_time();'>
// in your main HTML document.
这篇关于建立了安全注册和放JavaScript的解决方案;无SSL认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
