TypeScript 中的 RSA 加密/解密
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/46642143/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
RSA Encrypt/Decrypt in TypeScript
提问by Romeortec
I'm using Angular 4 to make the front end of my application. I have implemented OAuth2 on my backend (developed with Spring in Java), so people using my application must be authenticated.
我正在使用 Angular 4 来制作我的应用程序的前端。我已经在我的后端实现了 OAuth2(用 Java 中的 Spring 开发),所以使用我的应用程序的人必须经过身份验证。
The thing is that we can see clearly the passwords from the backend server logs and it could be caught by a MITM until I add a SSL.
问题是我们可以清楚地看到后端服务器日志中的密码,并且在我添加 SSL 之前,它可能会被 MITM 捕获。
That's why I decided to encrypt the sent password with RSA. My backend is already ready, but I don't find any up-to-date libraries that provide a decent API for encrypt/decrypt from a RSA key-pair.
这就是为什么我决定用 RSA 加密发送的密码。我的后端已经准备好了,但我没有找到任何最新的库来提供一个不错的 API 来从 RSA 密钥对加密/解密。
Also seen cryptomodule, but no longer usable on ECMAS6. The crypto-jsone only provides AES and some hashing such as MD5/SHA.
还看到了crypto模块,但在 ECMAS6 上不再可用。在crypto-js一个仅提供AES和一些散列诸如MD5 / SHA。
采纳答案by Romeortec
Finally found a way, after installed some.
终于找到办法了,装了一些之后。
npm install buffer
npm install crypto-browserify
Then use it
然后使用它
import {config} from "../app.config";
import {Buffer} from 'buffer/';
import * as crypto from "crypto-browserify";
export class RsaService {
private privateKey: string;
private publicKey: string;
private enabled: boolean;
constructor() {
this.privateKey = config.authentication.rsa.privateKey;
this.publicKey = config.authentication.rsa.publicKey;
this.enabled = config.authentication.rsa.enabled;
}
isEnabled(): boolean {
return this.enabled;
}
encrypt(plaintext: string): string {
if (!this.enabled)
return plaintext;
let buffer = new Buffer(plaintext);
let encrypted = crypto.privateEncrypt(this.privateKey, buffer);
return encrypted.toString('base64');
}
decrypt(cypher: string): string {
if (!this.enabled)
return cypher;
let buffer = Buffer.from(cypher, 'base64');
let plaintext = crypto.publicDecrypt(this.publicKey, buffer);
return plaintext.toString('utf8')
}
}
回答by Quirinux
Depending on where those network logs have been captured it is really possible to get back all the http pipe line in a pure text like, once the SSL works on a specific communication layer it's just listen the stream on a higher layer and boom, it's there, this is a answer for some comments above.
根据捕获这些网络日志的位置,确实有可能以纯文本形式取回所有 http 管道,例如,一旦 SSL 在特定通信层上工作,它只是在更高层上侦听流并繁荣,它就在那里,这是对上述一些评论的回答。
About the architecture itself, make completely sense once you're worried to protect your data from unwanted eyes, so in a theoretical way I would suggest some approaches:
关于架构本身,一旦您担心保护您的数据免受不受欢迎的人的侵害,就完全有意义了,所以从理论上讲,我会建议一些方法:
1) create your own encryption method and use it on both sides. A simple matrix multiplication could be useful, sound insane I know, but if it's a non critical flow I don't see any problem with that
1)创建您自己的加密方法并在双方使用它。一个简单的矩阵乘法可能很有用,我知道这听起来很疯狂,但如果它是一个非关键流程,我认为没有任何问题
2) use cryto-js on both sides as well, like, calling a javascript code portion from your java code to (de)encrypt the password
2)也在双方使用cryto-js,比如从你的java代码中调用javascript代码部分来(de)加密密码
3) use a external authentication/authorization entity, like google, twitter, facebook, or a more enterprise solution like IBM BlueID, Azure or AWS or even your own domain controller for that, or even further you can use a external auth entity with your own domain controller, it's called Federation
3) 使用外部身份验证/授权实体,如 google、twitter、facebook 或更多企业解决方案,如 IBM BlueID、Azure 或 AWS,甚至您自己的域控制器,或者甚至可以进一步使用外部身份验证实体与您的自己的域控制器,称为联合
I mean, there are several options to get it solved, since a very simple like making your own solution until a huge structure like, not sure where you are between those two points, but it's cool be aware with sensitive data.
我的意思是,有几种选择可以解决它,因为非常简单,例如制作自己的解决方案,直到构建一个巨大的结构,例如,不确定您在这两点之间的位置,但是了解敏感数据很酷。
