SSL替代 - 使用JavaScript加密密码以提交给PHP进行解密 [英] SSL Alternative - encrypt password with JavaScript submit to PHP to decrypt

问题描述

我正在建立一个网站，我的付款方式将是Google Checkout和PayPal。将有一些链接/按钮，将用户重定向到安全的Google / Paypal网站以处理付款。这意味着我不需要为我的网站安装SSL证书所需的150美元/年的费用和复杂程度。

但是，我希望在登录时加密用户的密码所以如果他们在网络上，一些运行FireSheep等的恶意用户在发送到服务器时就无法读取用户的实际密码。该网站的其余部分不需要加密，因为它不是真正敏感的数据，可能会显着降低用户体验。

我的想法可能是公开实现的密钥加密。让我们说过程是这样的：

1. 公钥在JavaScript外部文件中，服务器上的PHP中的私钥


2. 用户将其用户名和密码输入表单并单击提交


3. JavaScript运行并加密密码，将其存储回文本字段


4. 表单提交给服务器，密码用PHP解密


5. PHP中的纯文本密码已被加密哈哈，然后与数据库中的哈希进行比较。


6. 注册/更改密码功能的可能的类似过程。

我正在想一些像RSA这样的技巧。但是我已经在网上搜索了一个可用的JavaScript库来完成它，但是似乎没有与可用的PHP库兼容。无论如何，它需要生成一组与JavaScript和PHP兼容的键。

任何人都知道一个实际的工作解决方案？如果不是我们写一个然后开源。不幸的是，编写加密/解密代码非常复杂，所以我不太清楚现有的库正在做什么，以及如何修改它们以使其正常工作。我已经保护会话固定/劫持，所以我对此不感兴趣。只需要在将数据加密到Web服务器之前对其进行加密。

注意：请不要发送一堆链接到独立的Javascript或PHP加密库我已经在Google上找到了。这实际上不是有用的我需要的是JavaScript加密代码和PHP解密，实际上可以协调一致地产生上述预期结果。

另外如果你可以不要发表评论，如只使用SSL。我真的希望解决这个确切的问题，即使不是最佳做法，这也是有趣的。

非常感谢！ p>

解决方案

http：// www .jcryption.org / - 您正在寻找的组合。

I'm building a website and my payment methods will be Google Checkout and Paypal. There will be links/buttons which will redirect the user to the secure Google/Paypal sites for processing the payments. This means I do not need the $150/year added expense and complexity of installing SSL certificates for my site.

However I would like to encrypt user's passwords as they are logging in so that if they are on a network some malicious person running FireSheep etc can't read the user's actual password as it is being sent to the server. The rest of the site doesn't need encryption as it's not really sensitive data and would probably slow the user experience down significantly.

My thoughts are this could be implemented with public key cryptography. Lets say the process goes something like this:

1. Public key is in the JavaScript external file, private key in PHP on the server
2. User enters their username and password into the form and clicks submit
3. The JavaScript runs and encrypts the password, storing it back in the text field
4. Form is submitted to server and the password is decrypted with PHP
5. Plain text password in PHP is salted & hashed then compared to hash in database.
6. Possible similar process for the registration/change password functions.

I'm thinking something like RSA would do the trick. But I've hunted around the net for a working JavaScript library to do it but none seem to be compatible with the PHP libraries available. At any rate it needs to generate a set of keys that are compatible with the JavaScript and PHP.

Anyone know of an actual working solution for this? If not how about we write one then open source it. Unfortunately writing encryption/decryption code is pretty complex so I don't really know exactly what the existing libraries are doing and how to modify them to make it work. I already have protection for session fixation/hijacking so I'm not interested in that. Just interested in encrypting the data before it gets to the web server.

NB: Please don't post a bunch of links to standalone Javascript or PHP encryption libraries, I've found those already on Google. That's not actually useful. What I need is code for JavaScript encryption AND PHP decryption that actually works together harmoniously to produce the intended result outlined above.

Also if you could refrain from posting comments like "just use SSL". I'd actually like a solution to this exact problem even if it's not best practice, it would be interesting none the less.

Many thanks!

解决方案

http://www.jcryption.org/ -- Is the combination you are looking for.

这篇关于SSL替代 - 使用JavaScript加密密码以提交给PHP进行解密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！