我必须使用哪种加密过程通过HTTP协议发送加密的“电子邮件"和“密码"值? [英] What encryption procedure I must use to send encrypted 'email' and 'password' values over the HTTP protocol?
问题描述
我正在使用Ruby on Rails 3,我想通过HTTP协议发送'email'和'password'值(我知道,我应该,但是我需要).我需要将用户凭据从我的客户端应用程序发送到我的服务应用程序*.
I am using Ruby on Rails 3 and I would like to send 'email' and 'password' values (I know, I should not, but I need that) over the HTTP protocol. I need to send user credentials from a my client application to a my service application*.
我可以使用公共 RSA 私有密钥来完成此操作,但是,如果是这样,我一定不要通过HTTP将公共密钥发送给接收者,否则黑客可以窃取该密钥并解密内容.另一方面,HMAC加密(如果我理解的话)仅用于验证数据完整性和消息的真实性.
I can use a public a private RSA key to accomplish that but, if so, I must don't send the public key to the recipient over HTTP, otherwise an hacker can steal the key and decrypt contents. On other hands, the HMAC encryption (if I understood that) is good only to verify the data integrity and the authenticity of a message.
我听说过 AES ... 这对我有好处吗?如果是这样,我在哪里可以找到如何与Ruby \ Ruby on Rails结合使用的教程?我仅"需要在客户端加密用户凭据,然后在服务器端解密.
I heard of AES... is it good for my purposes? If so, where I can find a tutorial on how to use that with Ruby\Ruby on Rails? I "simply" need to encrypt user credentials on the client side and decrypt that on the server side.
P.S.我:如果我对自己写的东西有误,请告诉我.
P.S. I: If I'm wrong about something I wrote, let me know.
P.S.II:如果您建议其他方法,请告诉我!
P.S. II: If you suggest other methods, let me know!
更新我
*客户端是一个Web应用程序(一个网站,例如'www.site1.com),服务器是另一个Web应用程序(另一个网站,例如'www.site2.com).
*The client is a web application (a site web, for example 'www.site1.com), the server is another web application (another site web, for example 'www.site2.com).
UPDATE II
使用RSA加密...
客户我服务"步骤:
-
客户端生成巴黎公钥/私钥
Client generates public\private key paris
我(真实的人)手动将公钥从客户端复制粘贴到服务
I (a real person) copy-paste manually the public key from the client to the service
客户端将包含加密用户凭据的消息发送到服务(客户端不会发送\将公共密钥附加到HTTP请求中)
Client sends to the service the message including encrypted user credential (client doesn't send\append the public key to the HTTP request)
服务使用公钥(只有该服务知道),才能解密用户凭据并继续登录用户
Service, using the public key (that only the service knows), decrypts user credentials and proceed to the login of the user
现在,如果我发送公钥而不是执行第2步,那么客户端必须在第3步中通过HTTP协议发送公钥,黑客可以
Now, if I send the public key instead of doing the step 2, and so the client must send the public key in step 3 over the HTTP protocoll, an hacker can
-
拦截消息
intercept the message
获取公钥
解密用户凭据并窃取用户凭据
decrypt the user credentials and steal those
那么,如果我将公钥发送到服务,我应该使用RSA加密来加密用户凭证(那些重要且私人的信息)吗??
推荐答案
我可以使用公共RSA私钥要做到这一点,但如果是这样,我必须不要将公钥发送到通过HTTP接收,否则黑客可以窃取密钥并解密内容.
I can use a public a private RSA key to accomplish that but, if so, I must don't send the public key to the recipient over HTTP, otherwise an hacker can steal the key and decrypt contents.
1)通过HTTP将公钥发送给收件人.
2)客户端使用它来加密数据.
3)任何黑客都无法使用公共密钥解密内容.
4)在您的服务器上,使用私钥对内容进行解密.
1) Send the public key to the recipient over HTTP.
2) The client uses it to encrypt the data.
3) No hacker can decrypt the contents with the public key.
4) In your server, use the private key do decrypt the contents.
在非对称密钥加密方案中,任何人都可以使用公共密钥对消息进行加密,但是只有配对的私有密钥的持有者才能解密."
"In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt."
编辑
背景:
- 公钥仅用于加密数据.
- 私钥用于且仅用于解密数据.
如果黑客拦截了公共密钥,那么她唯一能做的就是加密数据.
甚至HTTPS都以这种方式工作.
If a hacker intercepts the public key, the only thing she can do is encrypt data.
Even HTTPS works this way.
糟糕:只有服务器应该知道私钥.
Obs: Only the server should know the private key.
Obs2:务必尝试启用HTTPS.它将使您的生活更加轻松.
Obs2: By all means, try to enable HTTPS. It will make your life far easier.
这篇关于我必须使用哪种加密过程通过HTTP协议发送加密的“电子邮件"和“密码"值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
