Javascript 如何在客户端(AngularJS)上加密密码,将其发送到服务器(expressJS)并在服务器上解密?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/37170981/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to encrypt a password on the client (AngularJS), send it to the server (expressJS) and decrypt it on the server?
提问by Izaskun Pe?a
I want to encrypt a password on the client (angular.js), send it to the server (express.js) and decrypt it on the server. I would like a simple method. I use $http to POST requests. I know that exits angular-bcrypt library and the same in nodeJS, but not worth for me, because it only has the method compare.
我想在客户端(angular.js)上加密密码,将其发送到服务器(express.js)并在服务器上解密。我想要一个简单的方法。我使用 $http 来发布请求。我知道存在 angular-bcrypt 库和 nodeJS 中的相同,但对我来说不值得,因为它只有方法比较。
I want something like that:
我想要这样的东西:
password = document.getElementById('txtPassword').value;
var xorKey = 129; /// you can have other numeric values also.
var result = "";
for (i = 0; i < password.length; ++i) {
result += String.fromCharCode(xorKey ^ password.charCodeAt(i));
}
But,I only found the method for decrypting in c#:
但是,我只在c#中找到了解密的方法:
public bool Authenticate(string userName, string password)
{
byte result = 0;
StringBuilder inSb = new StringBuilder(password);
StringBuilder outSb = new StringBuilder(password.Length);
char c;
for (int i = 0; i < password.Length; i++)
{
c = inSb[i];
c = (char)(c ^ 129); /// remember to use the same XORkey value you used in javascript
outSb.Append(c);
}
password = outSb.ToString();
// your rest of code
}
Any idea? Thank you very much. :P
任何的想法?非常感谢。:P
回答by georgeawg
Passwords should never be decrypted. They should be hashed with one-way encryption. The server should provide a nonceso that the client returns a different but verifiable answer on each login.
密码不应该被解密。它们应该使用单向加密进行散列。服务器应该提供一个随机数,以便客户端在每次登录时返回一个不同但可验证的答案。
All passwords should be hashed, salted and stretched. If it can be decrypted, it is not safe. See Serious Security: How to store your users' passwords safely.
所有密码都应该散列、加盐和拉伸。如果可以解密,那就不安全了。请参阅严重的安全性:如何安全地存储用户的密码。
My favorite answer:
我最喜欢的答案:
You need a library that can encrypt your input on client side and transfer it to the server in encrypted form.
You can use following libs:
- jCryption. Client-Server asymmetric encryption over Javascript
Update after 3 years:
Update after 4 years (Wohoo!)
Still not convinced? Neither am I :)
- OpenPGP.JS - Put the OpenPGP format everywhere- runs in JS so you can use it in your web apps, mobile apps & etc.
您需要一个可以在客户端加密您的输入并以加密形式将其传输到服务器的库。
您可以使用以下库:
- jCryption。基于 Javascript 的客户端 - 服务器非对称加密
3年后更新:
4 年后更新(哇!)
还是不相信?我也不 :)
- OpenPGP.JS - 将 OpenPGP 格式放在任何地方- 在 JS 中运行,因此您可以在您的网络应用程序、移动应用程序等中使用它。
See also:
也可以看看:
Is it worth hashing passwords on the client side
UPDATE March 2017:
Consider getting a free SSL Certificate with
2017 年 3 月更新:考虑使用免费的 SSL 证书
回答by Joseph
The only secure way to securely transmit data between client and server is to secure the connection with SSL. What you're essentially doing is just obfuscation, which can be reversed.
在客户端和服务器之间安全传输数据的唯一安全方法是使用 SSL 保护连接。你本质上所做的只是混淆,它可以被逆转。
回答by MBielski
You can use the Stanford Javascript Crypto Library: https://bitwiseshiftleft.github.io/sjcl/. It should work for both Angular and Node.
您可以使用斯坦福 Javascript 加密库:https: //bitwiseshiftleft.github.io/sjcl/。它应该适用于 Angular 和 Node。
Beyond that, your best bet is to make sure that you use HTTPS for your connections.
除此之外,最好的办法是确保使用 HTTPS 进行连接。
