如何转移密码以便登录到Asp.net身份 [英] How should password be transfered for logon in Asp.net Identity
问题描述
一个快速的答案可以是:使用ssl来加密密码传输,但这不是一个可行的解决方案给大家。
这就是我们的想法:
登录表单提供了一次性随机令牌,然后它将密码散列,并将其附加到到令牌并再次散列。结果被发送到服务器。
服务器具有密码和随机令牌的散列,将它们连接在一起,如果它们的散列等于客户端发送的内容,则继续进行登录过程。
这对于Asp.net标识提供的当前API是不可能的:它需要原始密码。
我们应该怎么做?仅依赖于ssl?有没有一种方法来安全的密码传输,而无需ssl?
解决方案网络依靠https保护密码等敏感信息。我会说遵循标准。您的哈希算法不像几十年的https开发那样久经考验。
We are using Asp.net Identity (currently version 2). For the purpose of local user authentication, the framework expects clear-text passwords. As far as I understand, this is not the safe method to transfer passwords.
A quick answer can be: use ssl to encrypt password transfer, but this is not a viable solution to everyone.
This is what we think: The logon form is provided with a one-time random token, then it hashes the password, attaches it to the token and hashes it again. The result is sent to the server. The server has the hash of the password and the random token, concats them together and if their hash equals what the client sent, proceeds with the logon process.
This is not possible with the current api provided by Asp.net identity: It expects raw password.
What should we do? Rely only on ssl? Is there a way to secure password transfer without ssl?
The web relies on https for securing sensitive information like passwords. I'd say follow the standard. Your hashing algorithm isn't as tried and true as decades of https development.
这篇关于如何转移密码以便登录到Asp.net身份的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
