javascript 使用 md5.js 进行客户端密码加密并在 PHP 中解密
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24688539/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Client side password encryption using md5.js and decryption in PHP
提问by VPR
I am using a form with userand passwordfields in that I need to encrypt the password before sending the form to the server for validation. For that I am using md5.jsfor encryption on client side using the salt information.
我正在使用带有user和password字段的表单,因为我需要在将表单发送到服务器进行验证之前加密密码。为此,我md5.js使用盐信息在客户端进行加密。
test.php
test.php
<script LANGUAGE="Javascript" SRC="js/md5.js"></script>
<script>
function encryptPwd1(strPwd, strSalt, strit) {
var strNewSalt = new String(strSalt);
if (strPwd == "" || strSalt == "")
{
return null;
}
var strEncPwd;
var strPwdHash = MD5(strPwd);
var strMerged = strNewSalt + strPwdHash;
var strMerged1 = MD5(strMerged);
return strMerged1;
}
function validateForm(strSalt, strit) {
var strEncPwd = new String(encryptPwd1(document.getElementById("password").value, strSalt, strit));
document.getElementById("password").value = strEncPwd;
document.login.submit();
return true;
}
</script>
<form method="post" action="test1.php">
<input type="hidden"
name="salt"
id="salt"
value="8qadr4xnCPW275BaNpYX">
<label class="login">Password:</label>
<input
name="password"
id="password"
type="password" />
<input type="submit"
name="gos"
id="gos"
value="Login"
onClick="return validateForm('8qadr4xnCPW275BaNpYX','38');">
</form>
This is the form which contains the client encryption using JavaScript and md5.js. I can successfully encrypt the message and send it to test1.phpin that test1.php. I don't know how to decrypt the text please help me.
这是包含使用 JavaScript 和md5.js. 我可以成功地加密邮件,并将其发送给test1.php在test1.php。我不知道如何解密文本,请帮助我。
回答by RiggsFolly
Hang on a minute here.
在这里等一下。
This is just a bad idea(I can think of other adjectives here but will limit myself to BAD).
这只是一个坏主意(我可以在这里想到其他形容词,但将自己限制在 BAD)。
Anybody can read your page source with any browser, so what do I see if I do that....
任何人都可以使用任何浏览器阅读您的页面源代码,那么如果我这样做我会看到什么....
- I now know that you are using MD5 to hash your passwords on your database (let's ignore how bad MD5 is for now)
- And lo and behold I also know the SALTthat you are using!
- 我现在知道您正在使用 MD5 在您的数据库上散列您的密码(让我们暂时忽略 MD5 有多糟糕)
- 瞧,我也知道您正在使用的SALT!
Why not just give me your bank account number and PIN code, and for good measure the keys to your house and car!
为什么不直接给我你的银行账号和 PIN 码,然后再测量一下你房子和汽车的钥匙!
I assume you don't have a boat or you would have drowned by now!
我假设你没有船,否则你现在已经淹死了!
Don't try and do this in the browser, the only secure way is to use SSL.
不要尝试在浏览器中执行此操作,唯一安全的方法是使用 SSL。
回答by martinstoeckli
You want to protect the plain text password from a "man in the middle", which is listening the network traffic. Unfortunately it is not possible to prevent this with client-side java-script, because the attacker can see the sent java-script as well and would also be able to simply remove this script from the request.
您想保护纯文本密码免受“中间人”的侵害,该人正在侦听网络流量。不幸的是,使用客户端 java 脚本无法阻止这种情况,因为攻击者也可以看到发送的 java 脚本,并且还可以简单地从请求中删除此脚本。
The only reliable way to protect the transfer of the password is using HTTPS with SSL encryption. This also only works because a secret is already shared (the certificates installed within your browser).
保护密码传输的唯一可靠方法是使用带有 SSL 加密的 HTTPS。这也仅适用于已共享机密(安装在浏览器中的证书)。
Client-side hashing can have it's purpose as well, but never replaces server-side hashing. You can transfer CPU power used for hashing to the client. On the server side you would have to hash again, but with fewer rounds.
客户端散列也可以有它的目的,但永远不会取代服务器端散列。您可以将用于散列的 CPU 功率传输到客户端。在服务器端,您将不得不再次散列,但轮次较少。
回答by Masoud Salehi
Password encryption is needed because of password trace will be stored in browser memory on your computer when you make submission. If a hacker get access to your computer, with a widely available tool, your stored data will be exposed.
需要密码加密,因为提交时密码跟踪将存储在您计算机的浏览器内存中。如果黑客使用广泛使用的工具访问您的计算机,您存储的数据将被暴露。
The remedy for that is to make it harder for the hacker to get hold of your password...
对此的补救措施是让黑客更难获得您的密码......
There are two things to remember: 1) submit via form 2) submit via ajax
有两件事要记住:1)通过表单提交 2)通过ajax提交
In both cased it is important that you control the character encoding of your submission and make sure your server character encoding is in synch with your application web page.
在这两种情况下,重要的是您控制提交的字符编码并确保您的服务器字符编码与您的应用程序网页同步。
If you do not control the encoding, then your ajax call may end up with different set of encoding than your submission via form and hence your decoding will not be easy.
如果您不控制编码,那么您的 ajax 调用可能会以与您通过表单提交的不同的编码集结束,因此您的解码将不容易。
Once you have them under control then use code in what ever language you want to decode... however, you need to keep a reference of salt and stringit on server side.. and you need to randomly generate different set of strings on each page you provide for users.
一旦你控制了它们,然后使用你想要解码的任何语言的代码......但是,你需要在服务器端保留salt和stringit的引用......并且你需要在每个页面上随机生成不同的字符串集你为用户提供。
one way to do it is by including them in form as hidden inputs.. but you need to remove the inputs on the fly from the form right before you allow the form to proceed with submission.
一种方法是将它们作为隐藏输入包含在表单中......但是您需要在允许表单继续提交之前从表单中即时删除输入。
