堆栈内存溢出
  简体   繁体   English

Delphi - 认证机制建议

[英]Delphi - authentication mechanism suggestions

 原文  2011-01-21 14:10:09       delphi/ authentication

问题描述

This question has only educational purpose. 这个问题只有教育目的。 At this moment I'm making a small application on which I want to include an authentication mechanism. 此时我正在制作一个小应用程序,我希望在其中包含一个身份验证机制。 Application should have access to Internet when is installed, but after can work offline. 应用程序在安装时应该可以访问Internet,但是可以脱机工作。 Until now I've thinking of the following solutions: 到目前为止,我一直在考虑以下解决方案:

1) Classic: Username and password(encrypted) sent to a authentication webservice - problems when Internet connection is down. 1)经典:发送到身份验证Web服务的用户名和密码(加密) - Internet连接断开时出现问题。
2) Generate a password based on motherboard/hard-disk serial no - this is generating issues when components are changed. 2)根据主板/硬盘序列号生成密码否 - 这会在组件更改时产生问题。

Also, I want to include a 'remember password' checkbox. 另外,我想要包含一个“记住密码”复选框。 Which is the safest way to do this? 这是最安全的方法吗? Where should I store this info? 我应该在哪里存储这些信息?

I believe that most of you have made an authentication mechanism, more or less complex, and I'm asking for your opinion. 我相信你们大多数人已经建立了一个或多或少复杂的认证机制,我在征求你的意见。 Also, I know that everything can be hacked but I want to make it as difficult as I can. 此外,我知道一切都可以被黑客攻击,但我想尽可能地让它变得困难。

4 个解决方案

解决方案1
 5 已采纳  2011-01-21 17:10:07

Don't reinvent the wheel! 不要重新发明轮子!

Some rules: 一些规则:

  • authentication must be per user; 身份验证必须是每个用户;
  • authentication must be for a session, ie for a network connection and some given time; 身份验证必须用于会话,即网络连接和某个给定时间;
  • never stores a password clearly on disk, but uses a hash; 从不在磁盘上清楚地存储密码,但使用哈希;
  • never transmit a password over the network, but uses a hash; 从不通过网络传输密码,但使用哈希;
  • add some "salt" (ie random data) during the hashing of any value; 在任何值的散列过程中添加一些“盐”(即随机数据);
  • try to achieve some kind of Zero-knowledge proof . 尝试实现某种零知识证明

To make it simple, the server create a "challenge" for the client. 为简单起见,服务器为客户端创建“挑战”。

Typical implementation can be: 典型的实现可以是:

  1. Client connect to a server, saying its user name; 客户端连接到服务器,说出其用户名;
  2. Server check for the name, then create and send a challenge for the Client; 服务器检查名称,然后为客户端创建并发送质询;
  3. Client ask the user to enter its password, then use it to respond to the challenge; 客户要求用户输入密码,然后用它来回应挑战;
  4. Server receive the answer, then check the challenge is correct. 服务器收到答案,然后检查挑战是否正确。

You can create a challenge using a good hashing algorithm (take a look at our very fast SHA-256 functions ), and follow these steps: 您可以使用良好的散列算法创建挑战(请查看我们非常快速的SHA-256函数 ),并按照以下步骤操作:

  • The User enters its initial password, then a SHA-256 is transmitted to the server (encrypted via a fixed private key eg); 用户输入其初始密码,然后将SHA-256发送到服务器(通过固定私钥加密,例如);
  • The Server store user names/passwords hash as key/values; 服务器将用户名/密码哈希作为键/值存储;
  • The Server create a challenge by creating a random block (using SHA-256 of some random data, including current time and others Randomize+Random values....); 服务器通过创建随机块(使用一些随机数据的SHA-256,包括当前时间和其他随机化+随机值......)来创建挑战;
  • The Client hashes this random block (received from the server) with the hash of the password just entered by the user; 客户端使用刚刚输入的密码的哈希值对该随机块(从服务器接收)进行哈希处理;
  • The Server receives the result from the Client, compute its own version using the stored password hash of the user, and compare the two values: challenge is successful if both value are the same. 服务器从客户端接收结果,使用存储的用户密码哈希值计算自己的版本,并比较两个值:如果两个值相同,则challenge成功。

解决方案2
 3  2011-01-21 14:28:46

Depends on what you want to achieve. 取决于你想要达到的目标。 For instance, you might first retrieve some critical data from the server, then always store it locally, encrypted by login-password. 例如,您可能首先从服务器检索一些关键数据,然后始终将其存储在本地,通过login-password加密。 This way no password is stored on the PC and you have to enter it to access the data. 这样,PC上就不会存储密码,您必须输入密码才能访问数据。

解决方案3
 3  2011-01-21 15:34:05

那么为了记住密码,你可以在本地保存它的哈希值,这不能用于获取真正的密码...

解决方案4
 2  2011-01-21 15:31:55

You can do what browsers do using cookies and storing the password on a encrypted file or, even better, storing it to a database. 您可以使用cookie执行浏览器操作并将密码存储在加密文件中,或者甚至更好地将其存储到数据库中。 Remember that you need to update the database password in case of user change it on the server. 请记住,如果用户在服务器上更改了密码,则需要更新数据库密码。 You do not need to generate the password. 您无需生成密码。 You can ask user to do so, and check its complexity to ensure that it is safe. 您可以要求用户这样做,并检查其复杂性以确保其安全。 And always use SSL when connection to a webservice, to ensure all data is safe to transmit. 并且在连接到Web服务时始终使用SSL,以确保所有数据都可以安全传输。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 用Delphi逆转排序机制 - Sorting Mechanism Reversing with Delphi Delphi线程异常机制 - Delphi thread exception mechanism Delphi接口引用计数机制 - Delphi interface reference count mechanism 如何在Delphi中禁用显示建议 - How to disable displaying suggestions in Delphi 在Delphi中实例化不同类型的通用机制 - Generic mechanism for instantiating distinct types in Delphi 有关实用用户认证系统的建议? - Suggestions for a practical User Authentication System? Delphi解析Google SERP结果的建议 - Delphi Suggestions For Parsing Google SERP Results 用Facebook进行Delphi登录身份验证 - Delphi login authentication with facebook AIX上的Delphi用户身份验证 - Delphi user authentication on AIX Delphi相互认证 - Delphi mutual authentication
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM