[英]Inserting encrypted password using RSACryptoServiceProvider class into DB?
I have WCF service that being used by clients, and the following is my current implementation for user authentication, I want a recommendation to enhance it or better mechanism. 我有客户端正在使用的WCF服务,以下是我当前用于用户身份验证的实现,我想要一个建议来增强它或更好的机制。
I am using RSACryptoServiceProvider class (RSA implementation) to save encrypted user passwords into database 我正在使用RSACryptoServiceProvider类(RSA实现)将加密的用户密码保存到数据库中
The client should encrypt password every log-in using public key (stored in file) and send it to logging method with user name 客户端应在每次登录时使用公共密钥(存储在文件中)对密码进行加密,并将其发送给具有用户名的登录方法
On the server side the log-in method select the encrypted password for the supplied user name and compare decrypted passwords (sent by user and db one) using private key 在服务器端,登录方法选择提供的用户名的加密密码,并使用私钥比较解密的密码(由用户和数据库一发送)
Note: every time you encrypt the string using RSA with the same public key a new encrypted bytes generated, so I can not compare encrypted passwords and I have to decrypt them to compare 注意:每次使用具有相同公共密钥的RSA加密字符串时,都会生成一个新的加密字节,因此我无法比较加密密码,因此必须解密它们才能进行比较
PS The answers say "For authentication purposes you should avoid storing the passwords using reversible encryption" PS答案说:“出于身份验证的目的,应避免使用可逆加密来存储密码”
I am asking if no one can decrypt the password except if he has the private key, so what is the problem, even the hashing is not reversible but it is broken!! 我要问的是,除了拥有私钥之外,没有人可以解密密码,这是什么问题,即使哈希是不可逆的,但它还是坏了!
It's not common practice to store passwords encrypted instead of hashed. 存储加密而不是散列的密码是不常见的做法。 Do you have any particular reason to do so?
您是否有任何特定原因?
If no, I would suggest to store the passwords hashed (SHA-2 or something like that) with a salt. 如果没有,我建议用盐存储散列的密码(SHA-2或类似名称)。
I think there are two issues that need attention: 我认为有两个问题需要注意:
Existing password based key agreements such as SRP address both problems. 现有的基于密码的密钥协议(例如SRP)解决了这两个问题。
Your solution to encrypt passwords with RSA is not bad idea but is a partial solution only: Since RSA randomizes the encryption, it prevents offline dictionary attacks. 使用RSA加密密码的解决方案不是一个坏主意,而只是部分解决方案:由于RSA随机化了加密,因此可以防止离线字典攻击。 From your description it is unclear if your proposal prevents replay attacks.
根据您的描述,尚不清楚您的建议是否可以防止重放攻击。 Can an attacker login by sending a previously intercepted encrypted password or do you have a countermeasure such as time-stamps?
攻击者可以通过发送先前拦截的加密密码来登录,还是您有诸如时间戳之类的对策?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.