客户端密码加密 [英] Password encryption at client side

问题描述

可能重复：

关于客户端的密码散列系统

我必须确保我的网站用户的密码。我所做的是在服务器端使用MD5加密散列。但问题是密码保持为纯文本，直到它到达服务器，这意味着可以使用流量监控来捕获密码。所以我想要的是使用客户端密码加密机制并发送加密的密码。
任何人都可以告诉这样做的方式是什么？

I have to secure the passwords of my web site users. What I did was use MD5 encryption hashing in server side. But the problem is the passwords remain in plain text until it arrives at the server, which means that the password can be captured using traffic monitoring. So what I want is to use a client side password encryption mechanism and send the the encrypted password. Can anybody tell what is the way to do this?

推荐答案

这不会是安全的，它很简单解释为什么：

This won't be secure, and it's simple to explain why:

如果您在客户端上散列密码并使用该令牌而不是密码，则攻击者将不大可能找出密码是什么

If you hash the password on the client side and use that token instead of the password, then an attacker will be unlikely to find out what the password is.

但是，攻击者不需要来查找密码，因为您的服务器不再需要密码 - 它期待着令牌。攻击者 知道令牌，因为它是通过未加密的HTTP发送的！

But, the attacker doesn't need to find out what the password is, because your server isn't expecting the password any more - it's expecting the token. And the attacker does know the token because it's being sent over unencrypted HTTP!

现在，可能会将某种挑战/加密的响应形式，这意味着相同的密码将产生每个请求的不同令牌。然而，这将要求密码以可解密格式存储在服务器上，这不是理想的，但可能是一个合适的妥协。

Now, it might be possible to hack together some kind of challenge/response form of encryption which means that the same password will produce a different token each request. However, this will require that the password is stored in a decryptable format on the server, something which isn't ideal, but might be a suitable compromise.

最后，您是否真的要求用户在登录您的网站之前启用JavaScript？

And finally, do you really want to require users to have javascript turned on before they can log into your website?

在任何情况下，SSL既不昂贵也不难设置再解决

In any case, SSL is neither an expensive or especially difficult to set up solution any more

这篇关于客户端密码加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！