恶意用户的安全 [英] Security from evil User
问题描述
我的X系统使用公钥解密一个密码,并根据它做一些工作。但是我不信任的系统的用户可以访问系统,密码和密钥。
My X system uses public key to decrypt a cipher and do some work based on that. But user of the system whom i do not trust has access to the system, cipher and the key.
因此,他可以做的是更改密码,创建另一组密钥使用私钥加密,并替换密码和公钥。所以下一次系统不会知道消息有变化。我基本上不在乎如果用户可以读它,我的问题是他不能改变它,所以我想到一个MAC不幸的是,恶意的用户可以更改MAC,因为他有访问存储库。
So what he can do is change the cipher, create another set of keys encrypt using private key and replace the cipher and public key both. So next time system will not know that message has change. I basically do not care if user can read it, my problem is he can not change it, so i thought of a MAC unfortunately that evil user can change the MAC as he has the access to the repository.
大问题是,用户总是可以无限制地访问密码和密钥,现在我如何保护整个事情?
Big problem is that user going to always have unlimited access to cipher and the key(s) now how i can secure the whole thing?
推荐答案
您的问题似乎是关键管理之一。客户端程序如何获取服务器公钥?他们直接询问服务器吗?或者他们从其他一些独立的来源获得服务器公钥?如果公共密钥在没有通知的情况下更改一天,客户是否会变得可疑?
Your problem appears to be one of key management. How do client programs obtain the server public key? Do they ask the server directly? Or do they get the server public key from some other independent source? Wouldn't the client become suspicious if the public key changed one day without notice?
这篇关于恶意用户的安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
