堆栈内存溢出
  简体   繁体   English

建立了无需SSL即可安全注册和身份验证的javascript解决方案

[英]Established javascript solution for secure registration & authentication without SSL

 原文  2012-03-31 10:58:25       javascript/ security/ authentication/ web-applications

问题描述

Is there any solution for secure user registration and authentication without SSL? 有没有没有SSL的安全用户注册和身份验证的解决方案?

  1. With "secure" I mean safe from passive eavesdropping , not from man-in-the-middle (I'm aware that only SSL with signed certificate will reach this degree of security). “安全”是指可以防止被动监听 ,而不是中间人 (我知道只有带签名证书的SSL才能达到这种安全级别)。

  2. The registration (password setup, ie exchanging of pre-shared keys) must be also secured without SSL (this will be the hardest part I guess). 在没有SSL的情况下,也必须确保注册(密码设置,即预共享密钥的交换)的安全(这是我猜到的最难的部分)。

  3. I prefer established and well tested solution . 我更喜欢建立良好且经过测试的解决方案 If possible, I don't want to reinvent the wheel and make up my own cryptographic protocols. 如果可能的话,我不想重新发明轮子并组成自己的加密协议。

Thanks in advance. 提前致谢。

1 个解决方案

解决方案1
 0  2012-03-31 11:25:55

For logging in you could try SRP from clipperz : 要登录,您可以尝试来自clipperz的 SRP

  • I'm not sure how strong the random number generator they use is. 我不确定他们使用的随机数生成器有多强。 You might want to try and use the Crypto API to get stronger values. 您可能想尝试使用Crypto API获得更强的价值。 I'm not sure how you can get secure seed values in javascript without using Crypto API. 我不确定如何在不使用Crypto API的情况下获取javascript中的安全种子值。

For sending initial password to server you could use public key encryption. 为了向服务器发送初始密码,您可以使用公共密钥加密。 So the server sends the client its public key (ok under the no mitm assumption) and the client encrypts the whole registration request when registering. 因此,服务器向客户端发送其公钥(在没有mitm的假设下可以),并且客户端在注册时会加密整个注册请求。 Cipperz has support for public key encryption but in a very raw form. Cipperz支持公开密钥加密,但格式非常原始。 Often you use public key encryption to encrypt a randomly generated symmetric key and use the symmetric key to encrypt the payload. 通常,您使用公共密钥加密来加密随机生成的对称密钥,并使用对称密钥来加密有效负载。 You have to be quite careful with padding /etc to make public encryption properly secure. 您必须非常小心填充 / etc,以使公共加密正确安全。 I don't know of any robust public key crypto libraries for javascript. 我不知道任何健壮的JavaScript公共密钥加密库。

You may want to check out jsbn for public key encryption because it looks like it does padding correctly. 您可能想检查jsbn以进行公钥加密,因为它看起来确实可以正确填充。 Though, I suspect it suffers from insecure random number generation. 不过,我怀疑它会遭受不安全的随机数生成的困扰。 It would be a good idea to use Crypto API or make the user bang the keyboard to generate some entropy. 使用Crypto API或使用户敲击键盘以产生一些熵将是一个好主意。 Snippet from rng.js 来自rng.js的代码段 

// For best results, put code like
// <body onClick='rng_seed_time();' onKeyPress='rng_seed_time();'>
// in your main HTML document.

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Javascript客户端身份验证(使用SSL,没有OAuth2)? - Javascript Client Authentication (with SSL, without OAuth2)? 使用Javascript或HTML发布安全SSL登录 - Using Javascript or HTML To POST Secure SSL Login 带有安全服务器 (SSL) 证书的 javascript 客户端 (Flutter) - javascript client (Flutter) with secure server (SSL) certificates 没有JavaScript的后备解决方案 - fallback solution without javascript 使用jwt保护api密钥而无需身份验证 - Secure api keys with jwt without authentication SSL&#39;ed JSON API是否使用cookie进行身份验证,而nonce通常是安全的? - Is a SSL'ed JSON API that uses cookies for authentication and nonces generally secure? 如何在没有注册的情况下创建一个简单的安全登录系统? - How can I create a simple secure login system without registration? 未经身份验证的node.js SSL加密 - node.js SSL encryption without authentication 无需应用注册即可获取对Dropbox的JavaScript访问权限 - Get JavaScript access to dropbox without app registration 是否有可能通过JavaScript抑制“这是非安全形式”消息的编程解决方案? - Is there a programmatic solution to suppress “This is a non-secure form” message, perhaps with JavaScript?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM