stackoom
  简体   繁体   中英

HTTPS : How do I Encrypt _only_ the password _only_ when user is signing in or registering?

 原文  2013-04-25 17:30:16       asp.net/ security/ encryption/ ssl/ https

Question

Suppose I have a login web form like the following:

UserId : testuser

Password : ThisIsStrongPwd

[LOGIN] (button)

Now, all I want to do is encrypt the password (using an industry-accepted secure measure) when the user clicks the [LOGIN] button.

I know that SSL will encrypt the entire POST, right? The steps will be something like:

  1. User types id and password.
  2. User clicks [LOGIN] button Info is posted securely to web server. --- How?
  3. Server-side checks the pwd the user posted against the (hashed) one in the database.
  4. Server returns to user their default.aspx page or index.htm page or whatever on an UNencrypted (non-SSL) URL.

There is no need for the rest of the session to be encrypted -- and possibly slow. How would you do this using ASP.NET for example? or ASP.NET MVC?

3 answers

solution1
 2  2013-04-25 18:25:12

..all I want to do is encrypt the password (using an industry-accepted secure measure) ..

For your use case, SSL is the only industry-accepted secure measure. There are ways to encrypt and send a form data from the browser without requiring ssl, such as jCryption . But they are not a replacement for SSL. read this Javascript Cryptography Considered Harmful

solution2
 1  2013-04-25 17:37:41

SSL is used to encrypt the transport layer, it's not a tool to encrypt specific values. All requests and responses for the page is encrypted, which is the point of having the page secure.

You can only send data securely from a page that is secure. If you would only encrypt data one way, you would be sending the data from an unsecure page. Someone could have intercepted the page and added code to it that steals the password before it's encrypted.

solution3
 1  2013-04-25 17:58:02

This is not possible in an application where you will accept users you (the server) do not otherwise know. The foundational problem you have is the requirement to share a secret that will enable you to encrypt and decrypt information that no one else can read.

Without a process to negotiate that secret, you cannot communicate securely . Negotiating that secret is one of the key features of SSL/TLS.

It will likely be useful to read up on the history and implementation of TLS to understand why it is necessary to have a fully secure channel. You may also be interested to learn about session jacking, a mechanism by which a third-party can "steal" a login token that is exposed outside of an SSL session.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I make a SQL Query only fire when a user “expands” a gridviewrow? How do I configure my WCF (svc) Service on IIS to serve on HTTPS requests only? How do I make my ASP.NET application serve pages only over HTTPS? The required antiforgery cookie is not present error: When registering first user in new asp.net 5 project in Chrome only How do I show EmptyDataText only after the user submits the form? How to add user to a role when registering How to encrypt and save a password How to encrypt password How can I let a user fill in profile parts when registering? (Using providers) send hashed password to user after registering the user
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM