通过TCP连接发送密码 [英] Send password over TCP connection

问题描述

大家好，


我有一个为客户端程序提供服务的程序。服务器有一个登录

密码，每个客户端都必须使用该密码登录。因此，当客户端连接时，它会发送一个带密码的字符串，然后

在服务器端验证。问题很明显：任何人都可以获得

密码只是嗅探网络。


如何解决这个问题？


Daniel

Hi all,

I have a program that serves client programs. The server has a login
password, which has to be used by each client for logging in. So, when
the client connects, it sends a string with a password, which is then
validated on the server side. The problem is obvious: anyone can get
the password just sniffing the network.

How can I solve this?

Daniel

推荐答案

" dcrespo" <直流***** @ gmail.com>写道：

"dcrespo" <dc*****@gmail.com> writes:

我有一个为客户端程序提供服务的程序。服务器有一个登录密码，每个客户端都必须使用该密码登录。因此，当客户端连接时，它会发送一个带密码的字符串，然后对其进行验证。在服务器端。问题很明显：任何人都可以通过网络嗅探密码。

如何解决这个问题？

I have a program that serves client programs. The server has a login
password, which has to be used by each client for logging in. So, when
the client connects, it sends a string with a password, which is then
validated on the server side. The problem is obvious: anyone can get
the password just sniffing the network.

How can I solve this?

如果你真的想要做对，使用SRP，< http://srp.stanford.edu>。

If you really want to do it right, use SRP, <http://srp.stanford.edu>.

最简单的方法是1方式哈希密码..或许使用md5


通常使用密码服务器只需检查它是否相同

字，假设相同的散列算法具有相同的散列值即可是
在客户端创建。


它不是非常安全......任何嗅探都可以获取你的哈希值并且

然后尝试在闲暇时破解它。最好通过ssl沟通

。


任何人都知道python中的简单ssl api :-)


dcrespo写道：

simplest approach is to 1 way hash the password ... perhaps using md5

normally with passwords the server only has to check if it is the same
word, assuming the same hash algorithms the same hash value can be
created at client.

Its not hugely secure ... anyone sniffing can grab your hash value and
then try to crack it at their leisure. It would be better to communicate
over ssl.

Anyone know of a simple ssl api in python :-)

dcrespo wrote:

大家好，

我有一个为客户端程序提供服务的程序。服务器有一个登录密码，每个客户端都必须使用该密码登录。因此，当客户端连接时，它会发送一个带密码的字符串，然后对其进行验证。在服务器端。问题很明显：任何人都可以通过网络嗅探密码。

如何解决这个问题？

Daniel

Hi all,

I have a program that serves client programs. The server has a login
password, which has to be used by each client for logging in. So, when
the client connects, it sends a string with a password, which is then
validated on the server side. The problem is obvious: anyone can get
the password just sniffing the network.

How can I solve this?

Daniel

Peter Tillotson写道：

Peter Tillotson wrote:

最简单的方法是1方式哈希密码...也许使用md5

不，它不是't - 见下文。

通常使用密码服务器只需要检查它是否是相同的字，假设相同的哈希算法可以使用相同的哈希值
在客户端创建。

不幸的是，这意味着客户端每隔

时间发送相同的字符串。

它不是非常安全..任何嗅探的人都可以抓住你的哈希值，然后尝试在闲暇时破解它。最好通过ssl沟通
。

它甚至不安全：他们所要做的只是重播数据

从服务器，他们也可以验证自己。他们

不必知道明文密码是什么。

任何人都知道python中的简单ssl api :-)

更安全的方法是使用某种挑战 - 响应机制，

其中服务器向客户端提出挑战C，然后

计算某些功能C和用户提供的明文密码由

提供。然后服务器通过对C和已知密码执行相同的

计算进行身份验证。


只要服务器每次使用不同的质询，那么这是

至少可以防止重播攻击。但是这个方案确实有服务器必须知道每个用户密码的弱点。


对于更安全的东西，请看OPIE和类似的方案。但是

让我们不要忘记所有这些方案只保证身份验证

交换：他们无法保护应用程序数据。


问候

Steve

dcrespo写道：

simplest approach is to 1 way hash the password ... perhaps using md5
No, it isn''t - see below.
normally with passwords the server only has to check if it is the same
word, assuming the same hash algorithms the same hash value can be
created at client.
Unfortunately this means that the client sends the same string every
time the user authenticates.
Its not hugely secure ... anyone sniffing can grab your hash value and
then try to crack it at their leisure. It would be better to communicate
over ssl.
It''s not even that secure: all they have to do is replay the data
sniffed from the server and they too can authenticate themselves. They
don''t have to know what the plain-text password is.
Anyone know of a simple ssl api in python :-)
A safer way would be to use some sort of challenge-response mechanism,
where the server presents a challenge C to the client, which then
computes some function of both C and the plain-text password provided by
the user. The server then authenticates by performing the same
computation on C and the known password.

As long as the server uses a different challenge each time then this is
at least secure from replay attacks. But this scheme does have the
weakness that the server must know the password of each user.

For something even more secure, look at OPIE and similar schemes. But
let''s not forget that all these schemes only secure the authentication
exchange: they do nothing to protect application data.

regards
Steve
dcrespo wrote:

大家好，

我有一个服务客户端程序的程序。服务器有一个登录密码，每个客户端都必须使用该密码登录。因此，当客户端连接时，它会发送一个带密码的字符串，然后对其进行验证。在服务器端。问题很明显：任何人都可以通过网络嗅探密码。

如何解决这个问题？

Daniel

Hi all,

I have a program that serves client programs. The server has a login
password, which has to be used by each client for logging in. So, when
the client connects, it sends a string with a password, which is then
validated on the server side. The problem is obvious: anyone can get
the password just sniffing the network.

How can I solve this?

Daniel

-

Steve Holden +44 150 684 7255 +1 800 494 3119

Holden Web LLC www.holdenweb.com

PyCon TX 2006 www.python.org/pycon/

--
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC www.holdenweb.com
PyCon TX 2006 www.python.org/pycon/

这篇关于通过TCP连接发送密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！