[英]Delphi - authentication mechanism suggestions
This question has only educational purpose. 这个问题只有教育目的。 At this moment I'm making a small application on which I want to include an authentication mechanism. 此时我正在制作一个小应用程序,我希望在其中包含一个身份验证机制。 Application should have access to Internet when is installed, but after can work offline. 应用程序在安装时应该可以访问Internet,但是可以脱机工作。 Until now I've thinking of the following solutions: 到目前为止,我一直在考虑以下解决方案:
1) Classic: Username and password(encrypted) sent to a authentication webservice - problems when Internet connection is down. 1)经典:发送到身份验证Web服务的用户名和密码(加密) - Internet连接断开时出现问题。
2) Generate a password based on motherboard/hard-disk serial no - this is generating issues when components are changed. 2)根据主板/硬盘序列号生成密码否 - 这会在组件更改时产生问题。
Also, I want to include a 'remember password' checkbox. 另外,我想要包含一个“记住密码”复选框。 Which is the safest way to do this? 这是最安全的方法吗? Where should I store this info? 我应该在哪里存储这些信息?
I believe that most of you have made an authentication mechanism, more or less complex, and I'm asking for your opinion. 我相信你们大多数人已经建立了一个或多或少复杂的认证机制,我在征求你的意见。 Also, I know that everything can be hacked but I want to make it as difficult as I can. 此外,我知道一切都可以被黑客攻击,但我想尽可能地让它变得困难。
Don't reinvent the wheel! 不要重新发明轮子!
Some rules: 一些规则:
To make it simple, the server create a "challenge" for the client. 为简单起见,服务器为客户端创建“挑战”。
Typical implementation can be: 典型的实现可以是:
You can create a challenge using a good hashing algorithm (take a look at our very fast SHA-256 functions ), and follow these steps: 您可以使用良好的散列算法创建挑战(请查看我们非常快速的SHA-256函数 ),并按照以下步骤操作:
Depends on what you want to achieve. 取决于你想要达到的目标。 For instance, you might first retrieve some critical data from the server, then always store it locally, encrypted by login-password. 例如,您可能首先从服务器检索一些关键数据,然后始终将其存储在本地,通过login-password加密。 This way no password is stored on the PC and you have to enter it to access the data. 这样,PC上就不会存储密码,您必须输入密码才能访问数据。
那么为了记住密码,你可以在本地保存它的哈希值,这不能用于获取真正的密码...
You can do what browsers do using cookies and storing the password on a encrypted file or, even better, storing it to a database. 您可以使用cookie执行浏览器操作并将密码存储在加密文件中,或者甚至更好地将其存储到数据库中。 Remember that you need to update the database password in case of user change it on the server. 请记住,如果用户在服务器上更改了密码,则需要更新数据库密码。 You do not need to generate the password. 您无需生成密码。 You can ask user to do so, and check its complexity to ensure that it is safe. 您可以要求用户这样做,并检查其复杂性以确保其安全。 And always use SSL when connection to a webservice, to ensure all data is safe to transmit. 并且在连接到Web服务时始终使用SSL,以确保所有数据都可以安全传输。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.