如何处理/存储加密密钥的双向加密来加密用户密码? [英] How the handle/store encryption key in 2 way encryption to encrypt user password?
问题描述
用户给我mailserver用户名/密码,服务器应用程序将登录邮件服务器,并以一定间隔进行处理。
这意味着我确实需要纯密码,所以我不能使用安全测量来安全地存储密码。
从研究看,我需要使用2路加密(服务器可以加密也可以解密)。加密是通过使用加密密钥完成的。
处理/存储此加密密钥的最佳方法是什么?
有一件事是将加密密钥存储在另一个服务器上,所以如果我的应用程序服务器和数据库遭到黑客入侵,它们仍然没有加密密钥。虽然应用程序服务器可以访问其他服务器,但是黑客可以在我的应用程序服务器上模拟(反编译)我的应用程序,并以这种方式获取加密密钥。
这很难问题!
这是一个很好的解决方案的开始。
在第二台服务器上进行加密和解密(加密服务器)。将密码传递给加密服务器进行加密,并返回加密的密码以存储在数据库中。当需要密码时,将加密的密码通过加密服务器进行解密。
如果接收到异常数量的请求,会使加密服务器监视请求活动并在极端情况下停止处理请求。
使第二台服务器非常安全。没有互联网访问,最小的访问帐户,双因素身份验证。
加密服务器成为一个糟糕的人的HSM(硬件加密模块)。
I'm in a bit of a pickle, i have a server application that need to login in mail servers of users.
The users give me mailserver username/password and the server application will login the mailserver and do stuff at a certain interval.
This means that i do need the plain password, so i can't use security measurements to safely store the password.
From research it seems i need to use 2 way encryption (server can encrypt but also decrypt). Encryption is done by using an encryption key.
What is the best way to handle/store this encryption key?
One thing that came to mind is storing the encryption key on another server, so if my application server and database get hacked they still don't have the encryption key. Although if the application server has access to other server the hacker can simulate (decompile, compile) my application on my application server and get encryption key this way.
It's a hard problem!
That is the start of a good solution.
Do the encryption and decryption on the second server (encryption server). Pass the password to the encryption server for encryption and it returns the encrypted password to store in the DB. When the password is needed pass the encrypted password to the encryption server for decryption.
Have the encryption server monitor request activity, if an unusual number of requests are received sound an alarm and in extreme cases stop processing requests.
Make the second server very secure. No Internet access, minimal access accounts, 2-factor authentication.
The encryption server becomes a poor-man's HSM (Hardware Encryption Module).
这篇关于如何处理/存储加密密钥的双向加密来加密用户密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
