是否有可能哈希密码和验证用户的客户端? [英] Is it possible to hash a password and authenticate a user client-side?
问题描述
我经常做小网站,并使用内置在SQL Server数据库中ASP.NET成员资格功能,使用默认的哈希密码存储方法。
I often make small websites and use the built in ASP.NET membership functionality in a SQL Server database, using the default "hashing" password storage method.
我不知道是否有客户端上散列他的密码,而不是在通过线路明文发送它不使用SSL来验证用户的方式。
I'm wondering if there's a way to authenticate a user by hashing his password on the client and not sending it in clear text over the wire without using SSL.
我意识到,这可能仅仅与JavaScript的用户启用适用。
I realize that this would only be applicable for users with Javascript enabled.
或者......可能的话,这将是Silverlight的一个伟大的内置功能(这是在Silverlight的路线图?)
Or... possibly, this would be a great built-in capability for Silverlight (is this in the Silverlight roadmap?)
编辑:
我也在寻找安全度的。这意味着,如果有一种方法,它具有的部分的优于简单的发送明文密码,我想知道它们是什么以及为什么。
I'm also looking for "degrees of security." Meaning, if there is a method that has some advantages over simply sending plaintext password, I'd like to know what they are and why.
我知道有很多人谁做小网站与登录名(如一个家庭网站或自愿作出当地的烹饪俱乐部网站),并没有看到购买SSL证书的需求。
I know there are lots of people who do small sites with logins (such as a family website or volunteering to make a site for a local cooking club) and don't see the need for purchasing SSL certificates.
推荐答案
这是可能的。这实际上是Kerberos身份验证,只有添加了香料的一点点。为了确保您的身份验证机制是安全的,则需要以下内容:
This is possible. This is actually what Kerberos authentication does, only with a little bit of added spice. To ensure that your authentication mechanism is secure, you need the following:
- 在客户端和服务器上的一个常见的哈希算法。
- 在服务器上生成,并与客户共享的一次性盐值。
- 存储在数据库中的原来的密码。
要安全验证通过散列code用户,让您避免跨线发送实际的密码时,先在服务器上生成一个随机的,一次性使用的盐值。这种盐值与用户输入的密码腌制版本发送到客户端,并生成一个散列code。发送结果散列code键的服务器,并将其与从所存储的密码的盐腌版本生成的哈希code进行比较。如果比较失败,则丢弃该盐,重新生成新的盐值,并且重复此过程。
To securely authenticate a user via hash code, so you avoid sending the actual password across the wire, first generate a random, single-use salt value on the server. Send this salt value to the client, and generate a hash code from the salted version of the password the user has input. Send the resulting hash code to the server, and compare it with a hash code generated from the salted version of the stored password. If the comparison fails, discard the salt, regenerate a new salt value, and repeat the process.
究其原因,单次使用的盐是prevent任何人捕捉用户密码,当您使用哈希code比较,是一样的哈希值code收听谈话好,因为有密码本身。
The reason for the single-use salt is to prevent anyone listening to the conversation from capturing the hash code of the users password, which, when you use hash code comparison, is just as good as having the password itself.
请注意,你需要保持原来的密码你身边,你无法散列一次在服务器上保存的哈希数据库。如果你需要确保存储在数据库密码也安全的,则需要将它们存储前将其加密。我相信,ASP.NET成员资格提供者让你,完全是靠自己的存储密码加密,但是如果你真的希望有一个安全的身份验证机制是难以被黑客破解,那么我会建议处理密码存储和检索。
Note that you need to keep the original password around, you can't hash it once on the server and save the hash in the database. If you need to ensure that the passwords stored in your database are also secure, then you will need to encrypt them before storing them. I believe that ASP.NET membership providers do allow you to store passwords encrypted, however, if you really wish to have a secure authentication mechanism that is difficult for a hacker to crack, then I would recommend handling password storage and retrieval entirely on your own.
最后,我要指出的是,如果你使用SSL来验证在你的连接进行加密这样一个复杂的密码传输机制应该是大可不必。
Finally, I should note, that such a complex password transfer mechanism should be largely unnecessary if you use SSL to encrypt your connection during authentication.
参考(对于那些从来没有听说过Kerberos或SRP的是谁):
References (for those who have never heard of Kerberos or SRP):
http://en.wikipedia.org/wiki/Kerberos_ (协议)
<一href=\"http://en.wikipedia.org/wiki/Secure_remote_password_protocol\">http://en.wikipedia.org/wiki/Secure_remote_password_protocol
这篇关于是否有可能哈希密码和验证用户的客户端?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
