简单的XOR消息(Javascript / Tcl)?
[英]Simple XOR a message (Javascript/Tcl)?
问题描述
I need the username/password to be scrambled at the client-side before sending it over via HTTP GET/POST. 
在通过HTTP GET / POST发送用户名/密码之前,我需要在客户端对用户名/密码进行加密。 And the server will decode it with Tcl, before the checks against database. 在对数据库进行检查之前,服务器将使用Tcl对其进行解码。
Currently I'm thinking about using JavaScript for the client-side. 目前,我正在考虑将JavaScript用于客户端。 Java Applet will also do. Java Applet也可以。
Is there any way, that I can easily achieve it, using Simple XOR or any other methods? 有什么方法可以使用简单XOR或任何其他方法轻松实现? (Examples would be much appreciated) (示例将不胜感激)
I've found the few samples in C/Python/.NET/Java... But not in JavaScript and Tcl. 我在C / Python / .NET / Java中找到了一些示例,但是在JavaScript和Tcl中却没有。
SSL is not an option to use, sadly. 遗憾的是,不能选择使用SSL。
2 个解决方案
解决方案1
1 已采纳 2010-08-10 14:11:59
If ssl is not an option, then I suggest the following scheme, which many sites use instead of SSL: 如果不是ssl选项,则建议使用以下方案,许多站点都使用该方案代替SSL:
- On the client side, combine the user name and password, then calculate a hash from it (MD5 is a popular choice). 在客户端,组合用户名和密码,然后从中计算出哈希值(MD5是一种流行的选择)。
- Send the user's name and hash over to the server 将用户名和哈希发送到服务器
- On the server side, retrieve the password for that user from the database. 在服务器端,从数据库中检索该用户的密码。
- From the user name and password, calculate the hash and compare it with the client's hash. 根据用户名和密码,计算哈希并将其与客户端的哈希进行比较。 If the two match, then the passwords match. 如果两者匹配,则密码匹配。
- For added security, add a little random text to the user+password mix. 为了增加安全性,请在用户+密码组合中添加一些随机文本。 This random text, AKA the "salt", must be known on both the client and server sides. 在客户端和服务器端都必须知道此随机文本,也称为“盐”。
Here is a suggestion on how to calculate the hash using MD5: 这是有关如何使用MD5计算哈希的建议:
package require md5
proc calculateHash {user password salt} {
return md5:md5 -hex "$user:$salt:$password"
}
How to use it: 如何使用它:
set user "johnny"
set password "begood2mama"
set salt "myDog_is_meaner_than_yourDog"
set hash [calculateHash $user $password $salt]
解决方案2
1 2010-09-10 03:30:18
superNobody, superNobody,
You should consider alternatives to storing plain-text passwords in the database. 您应该考虑在数据库中存储纯文本密码的替代方法。 See: 看到:
- http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html
Instead of encoding the password in Javascript, then decoding the password in Tcl to compare with the database, you should consider SHA1 hashing in Javascript, and storing SHA1 hashed values in the database. 与其使用Javascript对密码进行编码,然后使用Tcl对密码进行解码以与数据库进行比较,您应该考虑使用Javascript进行SHA1哈希处理,并将SHA1哈希值存储在数据库中。
There are several available examples of a SHA1 hash function in javascript (just Google 'sha1 javascript'). javascript中有SHA1哈希函数的几个可用示例(仅Google'sha1 javascript')。 The tcllib Tcl library has SHA1 support. tcllib Tcl库具有SHA1支持。
As HaiVu mentioned, you should also consider hashing / storing more than just a straight password hash, but instead use something like SHA1( username + websitename + password ). 如HaiVu所述,您还应该考虑散列/存储不只是直接的密码散列,而应使用SHA1(用户名+网站名称+密码)之类的东西。 You can calculate this on the client in Javascript, and store it in the db. 您可以使用Javascript在客户端上进行计算,并将其存储在数据库中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.