Design of secure login authentication for websites

User logon is the basic function of any application system. Especially for online banking systems, the security of user logon is particularly important. How to design secure login authentication for a websiteProgramIs the main issue discussed in this article.

There are many security risks in static passwords. Attackers can obtain static passwords in many ways and manage passwords at a high cost 《Security Analysis of China's online banking systemIt has been demonstrated that the use of hardware security productsDynamic password lock"Or"USB key"It can better solve this problem, but it will bring about the cost of encryption locks, without increasing the hardware cost, we can also use some design skills and measures to ensure the identity of the Creator to a certain extent.

I. client and server security

Client Security mainly includes the security of user passwords (password length and complexity) and the security of users' computers, including the absence of hacker trojan software installed on users' computers, the login program has not been loaded and debugged by a third-party program. The user input box organizes the keyboard hook program and so on.Code.

The security of the server, including the security of the server itself (system vulnerabilities, etc.) and the security of program design. Here I will mainly discuss the security of program design. The most basic problem is that the user's password should not be directly stored in the server's database, nor should the password be used with a single keyAlgorithmEncrypted and saved. The most basic authentication method is to authenticate the password through the one-way hash function. In 《Software Encryption technology and registration mechanismThis article introduces some unidirectional hash functions for simple authentication. Currently, most websites use the MD5 function for logon authentication. However, we recommend that you use the sha1 hash function with higher security.

Ii. Network Transmission Security

Currently, the network protocol communicates over HTTP protocol, which poses a great security risk. Hackers can use sniffer to capture packets and Analyze network packets, therefore, the user name and password should be transmitted in non-plaintext mode, and the concept of "public key password" is used here.

I have learned the basic"CryptographyEveryone should know the concept of "public key algorithm (also called asymmetric algorithm and two-key algorithm)", that is, the key used for encryption is different from the key used for decryption, the decryption key cannot be calculated based on the encryption key.

The encrypted transmission process consists of two parts: identity authentication, user authentication, and data encryption for data confidentiality. Both functions require asymmetric encryption technology.

The first is identity authentication. The communication data can be processed in this way. The user's information (username, password, etc.) is encrypted with the user's private key and then transmitted, on the server side, the public key of the user is saved, and the user's public key is used to decrypt the transmitted information to obtain the correct plaintext, this completes a secure network communication.

As shown in the example of a communication process, Alice uses her own private key to encrypt the plaintext and then transmit it to the server. users on the server (such as Bob) have the public keys of many users, therefore, Alice's public key is used to decrypt the ciphertext. If the key is correct, the plaintext can be decrypted and Alice's identity authentication is completed.

Data Encryption is the opposite of data authentication. the receiver's public key is used to encrypt the data. During transmission, even if the data is intercepted by hackers, the ciphertext cannot be used, after receiving the ciphertext, the receiver decrypts the ciphertext with its own private key, thus completing a data encrypted transmission.

As shown in the example of the communication process, Alice needs to send Bob an encrypted message, so Alice uses Bob's public key to encrypt the plaintext and then transmit it to Bob. After Bob receives the information, you can use your own private key to decrypt the ciphertext, And Then decrypt the ciphertext sent to Alice.

Currently, public key algorithms mainly include RSA and ECC. RSA is an old algorithm that is based on mass data decomposition and is slow. ECC (elliptic curve) is the latest public key encryption algorithm, based on discrete logarithm calculation, the speed is faster than RSA, and the security is said to be higher.

of course, the above mentioned technology is only the most basic identity authentication technology and is only suitable for General website applications, e-commerce and banking require more complex and authoritative security authentication systems. Currently, PKI is a popular technology. PKI (Public Key Infrastructure) is a new security technology, which consists of public key cryptography technology, digital certificates, certificate issuing authority (CA) and public key security policies. PKI technology has been widely used in e-government and e-commerce. It has been proved to be the best solution to ensure Internet-based e-government and e-commerce security. The complete PKI construction requires a lot of money and manpower to complete. We will not discuss it here.