在URL中加入加密密码?可能? [英] Include an encrypted password in a URL? Possible?
问题描述
因此,我们希望创建一个包含加密形式的密码的链接。
注意:我知道最好的方法是一个查找表,每个链接都有一个唯一的密钥...我不会介绍为什么这不会为我们工作;它不会。
我不熟悉公钥加密..也许这就是我需要的?
这是我在想什么这可能还不够,所以请让我知道:
定义:user-password是指链接中加密形式的用户密码。 p>
我们不能对所有用户密码使用一个加密密钥,因为可能通过生成大量的链接来导出加密密钥,所以...
-
使用标准形式的对称加密。
-
服务器有一个文本文件与1000个复杂的加密密钥。
-
当生成链接(使用具有该列表的PHP脚本)时,选择1000个密钥中的一个加密他们的明文密码(按顺序选择,不随机选择,以防止在同一时间内选择相同的密码)。
-
在加密用户密码之前,添加一些像s345lm34l5k342342343534432324sdfs到它的开始,以盐。 (例如:password1变成s345lm34l5k342342343534432324sdfspassword1)。 Salting使得难以对字典攻击进行解密。这种盐保持私密。但是,当然,它有可能被破坏的风险,它是所有密码的一个盐,所以...
-
此外,还有一个随机生成的盐添加到密码。这个盐用一个强大的密码加密。因为盐和密码加密它是一个随机的字节模式,它使得更难确定盐。
-
链接制作工具只允许你每10分钟生成15个链接,然后锁定IP。
- 链接制造商工具不生成链接,除非提供给它的用户/密码是实际的用户/密码组合。这样,如果有人只是尝试生成链接来确定加密信息,它将无法正常工作。但是从理论上讲,他们可以获得一个有效的用户/密码并尝试强力。
这个安全吗? b $ b
不,因为加密的密码已经成为密码。你试过SSL吗? SSL应该可以解决您的问题,您只需在HTTP级别使用纯文本URL。
We have a typical web-based login system. We want customers to have the ability to generate a "login link" that doesn't ever expire and includes their password. We want to therefore create a link which includes their password in encrypted form. NOTE: I know the best way is a lookup table where each link has a unique key... I won't go into why that won't work for us; it won't.
I'm not familiar with public key encryption.. Maybe that's what I need?
Here's what I'm thinking. This still might not be enough, so please let me know:
Definition: user-password refers to the user's password that we want in encrypted form in the link.
We cannot use one encryption key for all user-passwords because it may be possible to derive the encryption key by generating tons of links, so...
Use a standard form of symmetric encryption.
The server has a text file with 1000 complex encryption keys.
When a link is generated (using the PHP script that has that list), one of the 1000 encyption keys is chosen to encrypt their plaintext password (chosen in sequence, not at random to prevent the same from being chosen close to the same time).
Before encrypting the user's password, add something like "s345lm34l5k342342343534432324sdfs" to the start of it, to "salt" it. (Ex: password1 becomes s345lm34l5k342342343534432324sdfspassword1). "Salting" makes it harder to decrypt against dictionary attacks. This salt is kept private. But, of course, there's the risk it can be compromised and it's one salt for all passwords, so...
In addition, there's a second randomly generated salt added to the password. This salt is encrypted with a single strong password. Because both the salt and the password encrypting it is a random pattern of bytes, it makes it harder to determine the salt.
The link maker tool only lets you generate 15 links every 10 minutes, and then locks out the IP.
- The link maker tool doesn't not generate links unless the user/password provided to it is actual a functioning user/password combination. That way, if someone is just try to generate links to determine the encryption info, it won't work. Still, theoretically, they could obtain a valid user/password and try to brute force.
Is this secure?
No, because the encrypted password has become the password. Have you tried SSL? SSL should solve your problems, you can just use a plain URL on HTTP level.
这篇关于在URL中加入加密密码?可能?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
