加密问题 [英] Encryption Question
问题描述
我有一个用户可以更改密码的表单,但我很困惑
如何防止以纯文本传输。
嗯,我知道如何不用纯文本传输它 - 使用任何类型的
加密,但问题是,如何在服务器上解密它
来存储它?
如果我使用某种类型的基于密钥的加密,如何在没有被截获的情况下获得密钥
给客户端,整个
过程无用。
我的问题是,如何设置安全密码更改功能
on my网站?
3月13日20:09,egg ... @ gmail.com < egg ... @ gmail.comwrote:
我有一个用户可以更改密码的表单,但我很困惑
关于如何防止以纯文本传输。
嗯,我知道如何不用纯文本传输它 - 使用任何类型的
加密,但问题是,如何在服务器上解密呢
来存储它?
如果我使用某种类型的密钥加密,如何在没有被截获的情况下将密钥
发送给客户端,使整个
进程无效。
我的问题是,如何在我的网站上设置安全密码更改功能
?
简单回答:SSL
不那么容易回答:你需要一个javascript实现
a)(不太好)对称加密/解密算法。
b)(更安全)RSA加密,具有不错的密钥位大小,并将
需要加密尽可能少,因为它比100美元慢一点b $ b(a)
假设(b)
1将你的公钥作为javascript字符串发送给客户端,
阻止服务器上的私有。
2.告诉你的用户请等待当你使用免费提供的
RSA.js来加密密码字段并将其复制到一个名为
加密密码的字段
3。空白密码字段
4.发送表格
5. capture
_POST [''encrypted-password'']并在服务器端使用您的私人
密钥解密
google forRSA javascript implmentation
3月13日,20:09,egg ... @ gmail.com < egg ... @ gmail.comwrote:
我有一个用户可以更改密码的表单,但我很困惑
关于如何防止以纯文本传输。
嗯,我知道如何不用纯文本传输它 - 使用任何类型的
加密,但问题是,如何在服务器上解密呢
来存储它?
如果我使用某种类型的密钥加密,如何在没有被截获的情况下将密钥
发送给客户端,使整个
进程无效。
我的问题是,如何在我的网站上设置安全密码更改功能
?
当然你确实遇到了如何允许你的客户在之后安全登录
的问题!
确保你永远不会将密码作为纯文本发送,使用一次
pad,以及多次散列发送密码哈希,并且
立即使垫/哈希到期成功登录。
确保你不会陷入发送密码
等价物的陷阱。通过简单地在没有时间垫的情况下对密码进行一次哈希扫描,使用与数据库使用相同的哈希算法,使用类似
if(
I have a form where a user can change his password, but I''m confused
on how to prevent this from being transmitted in plain text.
Well, I know how not to transmit it in plain text - use any type of
encryption, but then the problem is, how do I decrypt it on the server
to store it?
If I use some type of key based encryption, the how do I get the key
to the client without it being intercepted, rendering the whole
process useless.
My question is, how can I set up secure password change functionality
on my site?
On 13 Mar, 20:09, "egg...@gmail.com" <egg...@gmail.comwrote:I have a form where a user can change his password, but I''m confused
on how to prevent this from being transmitted in plain text.
Well, I know how not to transmit it in plain text - use any type of
encryption, but then the problem is, how do I decrypt it on the server
to store it?
If I use some type of key based encryption, the how do I get the key
to the client without it being intercepted, rendering the whole
process useless.
My question is, how can I set up secure password change functionality
on my site?easy answer: SSL
not so easy answer: you will need a javascript implementation of
either
a) (not so good) symmetric enc/decryption algo.
b) (more secure) RSA encryption with decent key bit size, and will
need to encrypt as little as possible, because it is 100x slower than
(a)
Assuming (b)
1. get your public key as a javascript string and send to client,
holding back the private on the server.
2. tell your user "please wait" while you use the freely available
RSA.js to encrypt the password field and copy it to a field called
encrypted-password
3. blank the password field
4. send the form off
5. capture
_POST[''encrypted-password''] and decrypt using your private
key on the server side
google for "RSA javascript implmentation"
On 13 Mar, 20:09, "egg...@gmail.com" <egg...@gmail.comwrote:I have a form where a user can change his password, but I''m confused
on how to prevent this from being transmitted in plain text.
Well, I know how not to transmit it in plain text - use any type of
encryption, but then the problem is, how do I decrypt it on the server
to store it?
If I use some type of key based encryption, the how do I get the key
to the client without it being intercepted, rendering the whole
process useless.
My question is, how can I set up secure password change functionality
on my site?of course you do have the problem of how you allow your client to
login securely afterwards!
make sure you never send the password as plain text, use a one time
pad, along with multiple hashing to send an password hash, and
immediately expire the pad/hash on successful login.
Make sure you dont fall into the trap of sending a "password
equivalent" by simply hashing the password once with no one time pad,
using the same hashing algo that the db uses, using a check like
if (
这篇关于加密问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
