如何在客户端(AngularJS)上加密密码,将其发送到服务器(expressJS)并在服务器上解密?
[英]How to encrypt a password on the client (AngularJS), send it to the server (expressJS) and decrypt it on the server?
问题描述
I want to encrypt a password on the client (angular.js), send it to the server (express.js) and decrypt it on the server. 
我想加密客户端上的密码(angular.js),将其发送到服务器(express.js)并在服务器上解密。 I would like a simple method. 我想要一个简单的方法。 I use $http to POST requests. 我使用$ http来POST请求。 I know that exits angular-bcrypt library and the same in nodeJS, but not worth for me, because it only has the method compare. 我知道退出angular-bcrypt库和nodeJS中的相同,但不值得我,因为它只有方法比较。
I want something like that: 我想要这样的东西:
password = document.getElementById('txtPassword').value;
var xorKey = 129; /// you can have other numeric values also.
var result = "";
for (i = 0; i < password.length; ++i) {
result += String.fromCharCode(xorKey ^ password.charCodeAt(i));
}
But,I only found the method for decrypting in c#: 但是,我只在c#中找到了解密方法:
public bool Authenticate(string userName, string password)
{
byte result = 0;
StringBuilder inSb = new StringBuilder(password);
StringBuilder outSb = new StringBuilder(password.Length);
char c;
for (int i = 0; i < password.Length; i++)
{
c = inSb[i];
c = (char)(c ^ 129); /// remember to use the same XORkey value you used in javascript
outSb.Append(c);
}
password = outSb.ToString();
// your rest of code
}
Any idea? 任何想法? Thank you very much. 非常感谢你。 :P :P
3 个解决方案
解决方案1
15 2016-05-12 13:09:16
Passwords should never be decrypted. 密码永远不应该被解密。 They should be hashed with one-way encryption. 它们应该使用单向加密进行散列。 The server should provide a nonce so that the client returns a different but verifiable answer on each login. 服务器应提供一个nonce,以便客户端在每次登录时返回不同但可验证的答案。
All passwords should be hashed, salted and stretched. 所有密码都应进行哈希,盐渍和拉伸。 If it can be decrypted, it is not safe. 如果可以解密,则不安全。 See Serious Security: How to store your users' passwords safely . 请参阅严重安全性:如何安全地存储用户密码 。
My favorite answer: 我最喜欢的答案:
You need a library that can encrypt your input on client side and transfer it to the server in encrypted form.
You can use following libs:
- jCryption .
Update after 3 years:
Update after 4 years (Wohoo!)
- CryptoJS - Easy to use encryption
- ForgeJS - Pretty much covers it all
Still not convinced?
- OpenPGP.JS - Put the OpenPGP format everywhere - runs in JS so you can use it in your web apps, mobile apps & etc.
See also: 也可以看看:
Is it worth hashing passwords on the client side 是否值得在客户端散列密码
UPDATE March 2017 : Consider getting a free SSL Certificate with 更新2017年3月 :考虑获得免费的SSL证书
https://letsencrypt.org/about/ https://letsencrypt.org/about/
解决方案2
3 2016-05-11 18:58:58
The only secure way to securely transmit data between client and server is to secure the connection with SSL. 在客户端和服务器之间安全传输数据的唯一安全方法是使用SSL保护连接。 What you're essentially doing is just obfuscation, which can be reversed. 你基本上做的只是混淆,可以逆转。
解决方案3
2 2016-05-11 18:59:01
You can use the Stanford Javascript Crypto Library: https://bitwiseshiftleft.github.io/sjcl/ . 您可以使用Stanford Javascript加密库: https : //bitwiseshiftleft.github.io/sjcl/ 。 It should work for both Angular and Node. 它应该适用于Angular和Node。
Beyond that, your best bet is to make sure that you use HTTPS for your connections. 除此之外,最好的办法是确保使用HTTPS进行连接。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.