[英]How to encrypt a password on the client (AngularJS), send it to the server (expressJS) and decrypt it on the server?
I want to encrypt a password on the client (angular.js), send it to the server (express.js) and decrypt it on the server. 我想加密客户端上的密码(angular.js),将其发送到服务器(express.js)并在服务器上解密。 I would like a simple method.
我想要一个简单的方法。 I use $http to POST requests.
我使用$ http来POST请求。 I know that exits angular-bcrypt library and the same in nodeJS, but not worth for me, because it only has the method compare.
我知道退出angular-bcrypt库和nodeJS中的相同,但不值得我,因为它只有方法比较。
I want something like that: 我想要这样的东西:
password = document.getElementById('txtPassword').value;
var xorKey = 129; /// you can have other numeric values also.
var result = "";
for (i = 0; i < password.length; ++i) {
result += String.fromCharCode(xorKey ^ password.charCodeAt(i));
}
But,I only found the method for decrypting in c#: 但是,我只在c#中找到了解密方法:
public bool Authenticate(string userName, string password)
{
byte result = 0;
StringBuilder inSb = new StringBuilder(password);
StringBuilder outSb = new StringBuilder(password.Length);
char c;
for (int i = 0; i < password.Length; i++)
{
c = inSb[i];
c = (char)(c ^ 129); /// remember to use the same XORkey value you used in javascript
outSb.Append(c);
}
password = outSb.ToString();
// your rest of code
}
Any idea? 任何想法? Thank you very much.
非常感谢你。 :P
:P
Passwords should never be decrypted. 密码永远不应该被解密。 They should be hashed with one-way encryption.
它们应该使用单向加密进行散列。 The server should provide a nonce so that the client returns a different but verifiable answer on each login.
服务器应提供一个nonce,以便客户端在每次登录时返回不同但可验证的答案。
All passwords should be hashed, salted and stretched. 所有密码都应进行哈希,盐渍和拉伸。 If it can be decrypted, it is not safe.
如果可以解密,则不安全。 See Serious Security: How to store your users' passwords safely .
请参阅严重安全性:如何安全地存储用户密码 。
My favorite answer: 我最喜欢的答案:
You need a library that can encrypt your input on client side and transfer it to the server in encrypted form.
您需要一个可以在客户端加密输入并以加密形式将其传输到服务器的库。
You can use following libs:
您可以使用以下库:
- jCryption .
jCryption 。 Client-Server asymmetric encryption over Javascript
Javascript上的客户端 - 服务器非对称加密
Update after 3 years:
3年后更新:
Update after 4 years (Wohoo!)
4年后更新(Wohoo!)
- CryptoJS - Easy to use encryption
CryptoJS - 易于使用的加密
- ForgeJS - Pretty much covers it all
ForgeJS - 几乎涵盖了所有
Still not convinced?
还是不相信? Neither am I :)
我也不 :)
- OpenPGP.JS - Put the OpenPGP format everywhere - runs in JS so you can use it in your web apps, mobile apps & etc.
OpenPGP.JS - 将OpenPGP格式放在任何地方 - 在JS中运行,以便您可以在Web应用程序,移动应用程序等中使用它。
See also: 也可以看看:
Is it worth hashing passwords on the client side 是否值得在客户端散列密码
UPDATE March 2017 : Consider getting a free SSL Certificate with 更新2017年3月 :考虑获得免费的SSL证书
https://letsencrypt.org/about/ https://letsencrypt.org/about/
The only secure way to securely transmit data between client and server is to secure the connection with SSL. 在客户端和服务器之间安全传输数据的唯一安全方法是使用SSL保护连接。 What you're essentially doing is just obfuscation, which can be reversed.
你基本上做的只是混淆,可以逆转。
You can use the Stanford Javascript Crypto Library: https://bitwiseshiftleft.github.io/sjcl/ . 您可以使用Stanford Javascript加密库: https : //bitwiseshiftleft.github.io/sjcl/ 。 It should work for both Angular and Node.
它应该适用于Angular和Node。
Beyond that, your best bet is to make sure that you use HTTPS for your connections. 除此之外,最好的办法是确保使用HTTPS进行连接。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.