在使用POST方法发送密码之前,是否可以使用bcrypt哈希密码?
[英]Is there any way to hash a password with bcrypt before sending it with POST method?
问题描述
I want to know if there is way to hash a password with bcrypt, before i send it through the POST method from the login to the processing page, to improve the security of login script. 
我想知道是否有办法使用bcrypt哈希密码,然后再通过POST方法从登录名发送到处理页面,以提高登录脚本的安全性。 I can not use SSL protection to do so. 我不能使用SSL保护来这样做。
2 个解决方案
解决方案1
4 已采纳 2013-10-11 13:59:52
Unfortunately, even if you did what you propose, it would still not result in a secure connection, thus rendering it vulnerable to a Man in the Middle attack. 不幸的是,即使您按照您的建议进行了操作,也仍然无法建立安全的连接,因此很容易受到中间人攻击。 As discussed in the below comments, any hashing you do client-side renders the password pointless as it will require you to send the hash over the wire, to compare to another hash server-side. 如以下注释中所述,您在客户端进行的任何哈希处理都将使密码毫无意义,因为它将要求您通过网络发送哈希以与另一个哈希服务器端进行比较。 The attacker (MitM) could just use the hash to authenticate in this case. 在这种情况下,攻击者(MitM)可以仅使用哈希进行身份验证。
If you want secure communication, you must (at least) implement TLS/SSL. 如果要进行安全通信,则必须(至少)实施TLS / SSL。
解决方案2
2 2013-10-11 16:30:44
If you hashed a password with bcrypt, given a sufficiently strong password, and a salt, the password would be safe. 如果使用bcrypt将密码散列,并给出足够强的密码和盐,则该密码将是安全的。
If the hash that was passed in didn't match the hash on the server, you could refuse access. 如果传入的哈希与服务器上的哈希不匹配,则可以拒绝访问。
However, the main problem with your design is that now the password is no longer required to gain access to the system. 但是,设计的主要问题是现在不再需要密码即可访问系统。 The hash now becomes all that's needed to authenticate. 哈希现在成为身份验证所需的全部内容。 The hash has thus become a suitable replacement for the password. 因此,哈希已成为密码的适当替代。 Well, you've just passed that pseudo-password in the open, unencrypted, to an unverified server. 好吧,您刚刚将未加密的伪密码公开,未经加密地传递给了未经验证的服务器。
Passwords should be hashed before they are stored on the server using bcrypt or something similar. 在使用bcrypt或类似方法将密码存储在服务器上之前,应对密码进行哈希处理。 However, passwords should generally be passed in to the server (in clear text over an encrypted connection) and hashed there so that you can ensure that the client actually knows the password. 但是,通常应将密码(通过加密连接以明文形式)传递到服务器并在其中进行哈希处理,以便您可以确保客户端实际上知道密码。
One alternative to that method, and instead of SSL, that you might consider is Digest authentication, but this only works because every call to the server is re-authenticated. 您可能会考虑使用Digest身份验证代替该方法,而不是SSL,但这是可行的,因为对服务器的每次调用都需要重新进行身份验证。 If you use any kind of token based session, it could be available to replay and MitM attacks, so it must be encrypted. 如果您使用任何基于令牌的会话,则可以重播和MitM攻击,因此必须对其进行加密。 Also, Digest authentication is kind of old, and not as cryptographically secure as TLS, and there's no server identity verification, so we still end up back at HTTPS (SSL/TLS). 此外,摘要式身份验证有点陈旧,并且没有TLS那样的加密安全性,并且没有服务器身份验证,因此我们仍然以HTTPS(SSL / TLS)告终。
HTTPS (SSL/TLS) provides server identify verification and provides full end to end encryption, which is what you should use. HTTPS(SSL / TLS)提供服务器标识验证,并提供完整的端到端加密,这是您应该使用的加密方法。 You could mimic all the protections that SSL provides, but it seems like a lot of work trying to do something that's already there and implemented so easily. 您可以模仿SSL提供的所有保护,但是似乎很多工作都在试图做一些已经存在并且很容易实现的事情。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.