简体繁体 English

安全的客户端脚本

[英]Secured Client-Side script

原文 2009-11-24 16:39:26 3 9 javascript/ security/ client-server/ client-side

I have got a particular requirement where some critical algorithms have to be handled in the client-side script and it got to be secured. 我有一个特殊的要求，其中一些关键算法必须在客户端脚本中处理，并且必须得到保护。 Using javascript will just expose the algorithm. 使用javascript只会暴露算法。 I am currently evaluating ways to secure the algorithm on the client script. 我目前正在评估在客户端脚本上保护算法的方法。 Appreciate any suggestions and alternative approaches. 感谢任何建议和替代方法。

One option I am thinking about is to download a small applet to the local PC, get the calculations done in it and update the results back. 我正在考虑的一个选择是将一个小applet下载到本地PC，在其中完成计算并更新结果。 Before deciding on this, I want to know if a client script itself can be made secure coz that would be much easier. 在决定这一点之前，我想知道客户端脚本本身是否可以更安全，因为它会更容易。

Thanks in advance! 提前致谢！

9 个解决方案

You CANNOT secure anything on a client PC. 您无法在客户端PC上保护任何内容。

Everything you are doing client-side is crackable and spuffable. 你在客户端做的每件事都是可以破解和消费的。

That's the PC of the client. 那是客户端的PC。 It will be doing anything the client has requested it to do. 它会做客户要求它做的任何事情。

Script is not secure, also what level of security do you need? 脚本不安全，您还需要什么级别的安全性？ If you download anything to the client the client will be able to look at the algorithim. 如果您将任何内容下载到客户端，客户端将能够查看算法。 Of course if you download a native dll, then decompiling it will be harder, the question is if this is good enough. 当然，如果你下载一个原生dll，那么反编译会更难，问题是这是否足够好。

That an important thing most people miss when evaluating security nothing is trully 100% secure. 在评估安全性时，大多数人都错过的重要事情是100％安全。 Because your server admin could go in and steal the binaries off your server. 因为您的服务器管理员可以进入并窃取服务器上的二进制文件。 And if your using third party hosting who knows who has access to the server. 如果您使用第三方托管谁知道谁有权访问该服务器。

The idea is to raise the bar. 这个想法是提高标准。 Do you want to prevent the average script kiddie? 你想阻止普通的脚本小子吗？ Obfuscate it, make it hard for them to understand the gain of understanding the algorithim might not justify the pain in trying to understand it. 对它进行模糊处理，使他们难以理解理解算法的好处，可能无法证明理解它的痛苦。

The best that you can probally do is keep the algorithim on the server and expose it via a web service. 您可以做的最好的事情是将算法保留在服务器上并通过Web服务公开它。

Everything that the end-user is controlling to 100% may be tampered with, and this is especially true with JavaScript that is so easily exposed. 最终用户控制到100％的所有内容都可能被篡改，对于容易暴露的JavaScript尤其如此。

You are going down the wrong path. 你走错了路。 You need to rethink your approach. 你需要重新思考你的方法。

您可以构建包含关键算法的Web服务，并从javascript调用它。

Bottom line is, if someone wants your logic ... they will get it unless it is server-side and they never obtain it in any way. 最重要的是，如果有人想要你的逻辑......他们会得到它，除非它是服务器端的，他们永远不会以任何方式获得它。

What you want is a Javascript obfuscator 你想要的是一个Javascript混淆器

Nothing on the client side can be totally "secure". 客户端没有任何东西可以完全“安全”。

Anything you make them download will have to be run on the client PC, and so can be analysed. 您下载的任何内容都必须在客户端PC上运行，因此可以进行分析。 If you have them download an applet or a native executable, it will still contain machine instructions that can be analysed at the very least to an assembly level. 如果您让他们下载applet或本机可执行文件，它仍将包含可以至少分析到程序集级别的机器指令。

Is there no way you can have the client upload the data to your server instead and perform the calculation on the server side? 您是否无法让客户端将数据上传到您的服务器并在服务器端执行计算？

It it's client-side, then it's not secure. 它是客户端，然后它不安全。 Anything with critical security concerns should be done on the server. 任何有严重安全问题的事情都应该在服务器上完成。

NPAPI插件将在客户端执行，并使逆向工程变得更加困难......但当然一个坚定的黑客将能够通过...

Theoretically (and I mean this is a Comp.Sci. sense) this is possible. 从理论上讲（我的意思是这是一个Comp.Sci。感觉）这是可能的。 The cryptographical technique is known as "fully homomorphic encryption". 密码技术被称为“完全同态加密”。 For now, the method isn't practical yet. 目前，该方法还不实用。 There are no compilers available that are able to transform your algorithm in its equivalent secure form. 没有可用的编译器能够以等效的安全形式转换算法。