我必须使用什么加密过程通过HTTP协议l发送加密的“电子邮件”和“密码”值? [英] What encryption procedure I must use to send encrypted 'email' and 'password' values over the HTTP protocoll?
问题描述
我可以使用公开一个私人密码来实现这一点,但是如果是这样,我不能通过HTTP将公钥发送给接收者,否则黑客可以窃取密钥并解密内容。另一方面,HMAC加密(如果我理解的话)只能验证数据的完整性和消息的真实性。
我听说过 em> AES ... 是否对我的目的有好处?如果是这样,我可以在Rails上找到关于如何使用Ruby \Ruby的教程?我只需要在客户端加密用户凭据,并在服务器端解密。
PS我:如果我对我写的东西错了,让我知道。
II:如果您提出其他方法,请通知我!
更新我
*客户端是一个Web应用程序(一个网站,例如www.site1.com),该服务器是另一个Web应用程序(另一个网站,例如www。 site2.com)。
更新II
使用RSA加密...
客户端 - 服务步骤:
-
客户端生成public \private key paris
-
我(一个真正的人)复制粘贴手动将公钥从客户端转到服务
-
客户端向服务器发送包含加密用户凭据的消息(客户端不发送) HTTP请求的密钥)
-
使用公钥(只有服务知道)的服务解密用户凭据并继续登录用户
现在,如果我发送公众键而不是执行步骤2,因此客户端必须在步骤3中通过HTTP协议1发送公钥,黑客可以
-
截取消息
-
取公开密钥
-
解密用户凭据并窃取这些
所以,我应该加密用户凭据(这些是重要的和私有的信息)如果我将公钥发送到服务,使用RSA加密?
我可以使用公共私钥RSA密钥
来完成,但如果是这样,我必须
不要通过HTTP将公钥发送到
收件人,否则一个
黑客可以窃取密钥并解密
内容。
1)将公钥发送给收件人通过HTTP。
2)客户端使用它来加密数据。
3)没有黑客可以使用公钥解密内容。
4)在您的服务器中,使用私钥解密内容。
在非对称密钥加密方案中,任何人都可以使用公钥,但只有配对私钥的持有者可以解密。
编辑
背景:
如果黑客拦截公钥,她唯一可以做的就是加密数据。
即使HTTPS这样工作。 / p>
Obs:只有服务器应该知道私钥。
Obs2:一定要尝试启用HTTPS 。这将使你的生活更加容易。
I am using Ruby on Rails 3 and I would like to send 'email' and 'password' values (I know, I should not, but I need that) over the HTTP protocoll. I need to send user credentials from a my client application to a my service application*.
I can use a public a private RSA key to accomplish that but, if so, I must don't send the public key to the recipient over HTTP, otherwise an hacker can steal the key and decrypt contents. On other hands, the HMAC encryption (if I understood that) is good only to verify the data integrity and the authenticity of a message.
I heard of AES... is it good for my purposes? If so, where I can find a tutorial on how to use that with Ruby\Ruby on Rails? I "simply" need to encrypt user credentials on the client side and decrypt that on the server side.
P.S. I: If I'm wrong about something I wrote, let me know.
P.S. II: If you suggest other methods, let me know!
UPDATE I
*The client is a web application (a site web, for example 'www.site1.com), the server is another web application (another site web, for example 'www.site2.com).
UPDATE II
Using RSA encryption...
Client-I-service steps:
Client generates public\private key paris
I (a real person) copy-paste manually the public key from the client to the service
Client sends to the service the message including encrypted user credential (client doesn't send\append the public key to the HTTP request)
Service, using the public key (that only the service knows), decrypts user credentials and proceed to the login of the user
Now, if I send the public key instead of doing the step 2, and so the client must send the public key in step 3 over the HTTP protocoll, an hacker can
intercept the message
take the public key
decrypt the user credentials and steal those
So, should I encrypt user credential (those are important and private information) using a RSA encryption if I send the public key to the service?
I can use a public a private RSA key to accomplish that but, if so, I must don't send the public key to the recipient over HTTP, otherwise an hacker can steal the key and decrypt contents.
1) Send the public key to the recipient over HTTP.
2) The client uses it to encrypt the data.
3) No hacker can decrypt the contents with the public key.
4) In your server, use the private key do decrypt the contents.
Example: Encrypting Sensitive Data with Ruby (on Rails)
"In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt."
EDIT
- The public key is used to and only to encrypt data.
- The private key is used to and only to decrypt data.
If a hacker intercepts the public key, the only thing she can do is encrypt data.
Even HTTPS works this way.
Obs: Only the server should know the private key.
Obs2: By all means, try to enable HTTPS. It will make your life far easier.
这篇关于我必须使用什么加密过程通过HTTP协议l发送加密的“电子邮件”和“密码”值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
