在服务器端实施MD5halsh盐腌算法时,如何在客户端加密密码
[英]how to encrypt password at client side when implemented MD5halsh salted algorithm on server side
问题描述
I have implemented an md5 hash salted algorithm. 
我已经实现了md5哈希加盐算法。
Using this algorithm I have saved the hashed password and salt value to the database. 使用此算法,我已将哈希密码和盐值保存到数据库中。 then on login page retrieved the salt value of login user, get the byte of password add the salt value and computed hash and matched the result with the saved password and it is working perfectly but I am still able to see my password value in clear text at client side. 然后在登录页面上检索登录用户的盐值,获取密码的字节,将盐值和计算得出的哈希值相加,并将结果与保存的密码进行匹配,它可以正常工作,但是我仍然可以看到明文密码在客户端。
How can I encrypt the password value at client side along with md5 hash salted algorithm? 如何与md5哈希加盐算法一起在客户端加密密码值?
4 个解决方案
解决方案1
1 2012-10-16 07:02:20
You do it right way. 你做对了。 You won't be able hash password on client-side without knowing salt (and passing salts to client is not a good idea). 在不知道盐的情况下,您将无法在客户端哈希密码(将盐传递给客户端不是一个好主意)。 If you want that data sent by client was secure, use ssl . 如果您希望客户端发送的数据是安全的,请使用ssl 。
Note: If you use ssl client will still be able to see my password value in clear text because data will be encrypted only before sending. 注意:如果您使用ssl,客户端将仍然able to see my password value in clear text因为仅在发送之前会加密数据。
解决方案2
0 2012-10-16 07:05:44
You can use data protection API (DPAPI) to store password on the client side securely. 您可以使用数据保护API(DPAPI)在客户端安全地存储密码。 Use SafeString class, to store password in memory and, as @PLB already mentioned, use encrypted connection. 使用SafeString类将密码存储在内存中,并且正如@PLB所述,使用加密连接。
解决方案3
0 2012-10-16 07:08:27
If you are worry for password which you are typing in text box. 如果您担心在文本框中输入密码。 Then change TextMode of textbox as Password 然后将文本框的TextMode更改为Password
Like this 像这样
<asp:TextBox ID="txtPassword" runat="server" TextMode="Password"></asp:TextBox>
解决方案4
0 2012-10-16 07:22:03
There are many different ways to solve this, the easiest I can come up with right now is to use some kind of challenge; 解决这个问题的方法有很多,我现在最容易想到的就是使用某种挑战。 the server sends a value the client has to use as a salt. 服务器发送一个客户端必须用作盐的值。 The server ensures that the value is unique, hasn't expired, and only used once (this makes sure a replay attack isn't possible.) 服务器确保该值是唯一的,尚未到期且仅使用一次(这确保了不可能进行重放攻击)。
This makes sure that a plain text password isn't sent, only a hashed one. 这样可以确保不发送纯文本密码,仅发送散列密码。 The server can trust (trust as much as when doing plain text auth anyway) the client to not simply resend some old hash since the clear text password is needed to compute the hash with the "one-time-salt". 服务器可以信任(无论如何,信任都与进行纯文本身份验证时一样多)客户端不只是简单地重新发送一些旧哈希,因为需要明文密码来计算具有“一次性盐”的哈希。
Another, more sophisticated (and secure) way is to generate a RSA-keypair from the password where the server has the public key, and the client the private. 另一种更复杂(更安全)的方式是从服务器具有公共密钥而客户端具有私有密钥的密码生成RSA密钥对。 The client also has a copy of the servers public key. 客户端还具有服务器公钥的副本。 The user enters the password, and only the correct password will get the correct rsa-key. 用户输入密码,只有正确的密码才能获得正确的rsa密钥。
The user then encrypts the requests with the server's public key, and then signs the requests with the user's private key. 然后,用户使用服务器的公钥对请求进行加密,然后使用用户的私钥对请求进行签名。 Only the server can then decrypt the requests, and the server can verify that the sender really is the right user by verifying the sign with the user's public key. 然后只有服务器才能解密请求,并且服务器可以通过使用用户的公共密钥验证签名来验证发件人确实是正确的用户。 And the opposite for the response. 与之相反的反应。 To add some security you should add some unique "salt" as I wrote earlier to ensure replay attacks are impossible. 为了增加安全性,您应该添加一些独特的“盐”,如我之前所写,以确保无法进行重放攻击。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.