通过解密用户认证 [英] User Authentication by Decryption

问题描述

我试图避免在认证DB访问来提高性能。

I'm trying to avoid DB access upon authentication to improve performance

很多搜索后一个有效的解决方案似乎是存储的cookie加密的字符串，并尝试在认证解密。

a valid solution after lots of searching seems to be storing an encrypted string in cookie and try to decrypt it upon authentication.

因此​​，我想知道如果下面是一个好主意：

Thus, I am wondering if the following is a good idea:

1. 传输通过SSL一切（我懒..）


2. 在我的程序中设置一个全局常量密钥


3. 后生成的注册和密码更改一个新的随机验证字符串，并将其存储在用户对象


4. 生成一个加密验证字符串，字符串验证和密钥


5. 存储未加密和加密的字符串验证cookie中


6. 当用户尝试登录，解密验证串和检查，对原来的验证字符串

如果它是一个OK的想法，我怎么真正使其工作，如：

if it is an "OK" idea, how do I actually make it work, like:

我应该用什么样的加密方法，AES-256？

what encryption method should I use, AES-256?

怎么做这样的加密/解密在Java中，使用BouncyCastle的？

how do I do this kind of encryption/decryption in Java, using Bouncycastle?

如果这不是一个好主意，我应该怎么做才能避免对认证查询数据库？

if it is not a good idea, what should I do to avoid querying DB on authentication?

thans提前！

推荐答案

在上面所描述的问题，被称为与rememberMe。
两种方法来解决问题：

The problem you describe above is called "RememberMe". Two approaches to solve your problem:

1）创建您自己的认证框架。

1) Create your own authentication framework.

一旦认证成功把一个cookie中的用户名的加密值（我强烈不建议使用散列;也请不要把用户密码值）。

Upon the successful authentication put in a cookie an encrypted value of a username (I strongly not recommend to use hashing; also please do not put the user password value).

该Cookie应该最多是持久的2周。

The cookie should be persistent at most for 2 weeks.

有关加密，请使用AES-256加密用BouncyCastle的：
<一href=\"http://stackoverflow.com/questions/2957513/how-to-use-bouncy-castle-lightweight-api-with-aes-and-pbe\">How使用充气城堡轻量级的API与AES和PBE
请不要把在Cookie中任何纯值。
如果你的框架成功解密该Cookie - 用户进行身份验证。如果你的框架无法解密的cookie或者cookie不存在 - 的用户没有通过验证。
一旦注销，请清除该cookie。

For encryption please use AES-256 encryption with BouncyCastle: How to use Bouncy Castle lightweight API with AES and PBE Please do not put any plain values in cookies. If your framework success to decrypt the cookie – the user is authenticated. If your framework cannot decrypt the cookie or the cookie does not exist - the user is not authenticated. Upon the logout please clean the cookie.

2）请考虑使用Spring的安全框架：
<一href=\"http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html\" rel=\"nofollow\">http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html

2) Please consider to use the Spring Security framework: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html

这是伟大的框架，解决了很多的认证/授权问题。

It is the great framework and solves a lot of authentication / authorization problems.

您的问题是由了rememberMe功能解决：
<一href=\"http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-remember-me\" rel=\"nofollow\">http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-remember-me

Your problem is solved by the "RememberMe" feature: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-remember-me

如果您需要任何额外的说明，请告诉我。

Please tell me if you need any additional clarifications.

最好的问候，

迈克尔

这篇关于通过解密用户认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！