New measures for user password protection

Source: Internet
Author: User
Tags password protection

Translation: BAO chenhui
24/04/2000

Some readers often ask how to use javascript on their websites to ensure that the user's logon password is not leaked. My first response to this problem is to tell them to use SSL (Secure Socket protocol layer ). If used correctly, SSL is the best solution for Web applications with high security requirements. However, a considerable number of developers do not require high security for their Web applications, so they do not want visitors to log on using SSL.

Web applications generally use a technology called Session State Management to track and manage mutual activities between browsers and servers. Because browser browsing requirements are independent from other browsers (as defined in hypertext transfer protocol), Web applications must use certain techniques, such as cookies, hiding table fields, or rewriting URLs, they can identify independent sessions between the server and a browser. Most server-side programming environments (such as ASP, PHP, and ColdFusion) use cookies.

The problem with session Status management is that it is fundamentally insecure. These cookies, form values, or URLs used to manage session status must be transmitted between the browser and the server. Hackers can intercept them on the way. Once successful, hackers can use this information to forcibly take over user sessions.

In most server-side scripting environments, you can take some measures to reduce such leaks. For example, you can set a short term for the Cookie and apply the "difficult to predict session Status" information. However, the most secure solution is to use SSL. SSL is used, regardless of the user password or session status information.

If you do not use SSL, you can ask the user to re-authenticate each sensitive page in your application. However, from the user's point of view, this method is not too troublesome. In short, you must know how high the risks you and your users are willing to take. If the risk of password leakage is too high, you need to use SSL to create an application. If you cannot use SSL, you can use MD5-based logon instead. It can at least protect your users' passwords from leakage. In addition, a server-side scripting technology can be used to prevent session state information theft.

Generally, if a user does not use SSL to log on (that is, the original HTTP), the user password is not protected during the period from leaving the browser until it reaches the target network server, as shown in the chart on the next page.

However, we can use an irreversible function to develop a login scheme, which will not expose the user's password. A function is A correspondence between elements of A set. In A function from set A To Set B, each element of A corresponds to A unique element of B. Irreversible functions are hard to be reversed in computing-given an element in Set B, it is difficult to determine which element in set A corresponds to it.

This is like a shredder. It is easy to put the file into the shredder and destroy it. On the contrary, it would be difficult to splice the broken paper scraps after destruction into the original text.

<B> MD5 solution <B>

One of the most popular irreversible function applications today is the MD5 algorithm developed by Ronald Rivest. Ronald Rivest is also one of the famous developers of RSA (Rivest, Shamir, Adelman) encryption algorithms. The MD5 algorithm can generate a 16-Byte "digital fingerprint" for information of any length ". This information can be a string, a file, a text stream, or any other form of byte sequence. The MD5 algorithm is described in detail in RFC1321.

We need to develop a login method using the MD5 Algorithm to protect the user password sent from a browser to the network server.

When a user initiates a Logon Request to a network application, the network server provides a logon table for the user. This is a table with randomly generated values. The randomly generated values are randomly selected and generated by the server script from a value space of hundreds of millions of records.


The user enters his or her username and password in the login form. The user script attaches a random value to the password and computes the result using the MD5 irreversible algorithm. Replace the original password with the calculated value. I call this value an MD5 password.

Finally, the client script sends the user name and the MD5 password to the network server. Because the MD5 calculation result is transmitted between the browser and the server, no one can calculate the original password entered by the user.


After receiving the username and MD5 password, the network server performs the same operation as the user's browser. It attaches a random value to the user's password (extracted from the protected area of the server) (that is, the random value sent to the user) and calculates the correct MD5 password value. Then the network application compares the value with the value it receives from the browser. If the two values are equal, the network application generates a server-side session variable to prove that the user identity is correct.


Speaking of this, you may doubt the necessity of using random values. In fact, this random value is used to prevent further attacks. If only the original user password passes MD5, the obtained MD5 password will always be the same value. Hackers can log on to the network as long as they intercept the MD5 password. After a random value is used, the MD5 password generated during each login is unique, which avoids the above problems.

<B> javascript implementation </B>
It is easier to implement the MD5 encryption login scheme in javascript. The Paul Johnston website provides you with a wealth of information on MD5 Algorithm Implementation. Other MD5 information can be found on this site. Put the code in a folder and name it md5-js.txt.

We will write scripts on the server in the ASP environment (because ASP supports javascript of JScript-Microsoft edition ). You can use any server-side scripting language, but you must translate the MD5 algorithm into your selected language.

The following is a logon table login. ASP in the asp environment. You can perform online simulated logon. The simulated user name is jason and the user password is f2 # 5% rsq.

<% @ LANGUAGE = "JScript" %>
<HTML>
<HEAD>
<TITLE> Please log in! </TITLE>
<% Session ("sharedValue") = Math. random (). toString () %>
<Script language = "javascript" SRC = "md5.js"> </SCRIPT>
<Script language = "javascript">
Var sharedValue = "<% = Session (" sharedValue ") %>"
Function handleLogin (){
SendMD5Value (calculateMD5Value ())
}
Function calculateMD5Value (){
Var pw = document. forms ["login"]. elements ["password"]. value
Pw + = sharedValue
Return cal1_5 (pw)
}
Function sendMD5Value (hash ){
Document. forms ["login"]. elements ["password"]. value = hash
Document. forms ["login"]. submit ()
}
</SCRIPT>
</HEAD>
<BODY>
<Form name = "login" METHOD = "POST" ACTION = "checkpassword. asp">
User ID: <input type = "TEXT" NAME = "userid" SIZE = "40"> <BR>
Password: <input type = "PASSWORD" NAME = "password" SIZE = "40"> <BR>
<Input type = "BUTTON" NAME = "startLogin" VALUE = "Login" onClick = "handleLogin ()">
</FORM>
</BODY>
</HTML>

Only three lines of the above content contain ASP scripts. (The content between <% and %> is an ASP script .) The first line of the file determines the ASP language as JScript.

<% @ LANGUAGE = "JScript" %>

In the second row of ASP, the value of the server-side session variable named "sharedValue" is set to a random floating-point String representation in the form of "String ". In the whole process of user sessions, this session variable will exist on the server.

<% Session ("sharedValue") = Math. random (). toString () %>

The following line sets the client-side javascript variable named "sharedValue" to the value of the server-side variable with the same name.

Var sharedValue = "<% = Session (" sharedValue ") %>"

Enter the user name and password in the table and click "Log on" to activate the handlelogin () function. The handlelogin () function starts the calculateMD5Value () function, attaches a random value to the user's password, and calculates the corresponding MD5 value. Then, the sendMD5Value () function will charge this value, replace it with the user password entered in the original form, and finally submit the form.

Note: The SCRIPT tag of a single line indicates that the SCRIPT contains the md5.js file. The above is the implementation of MD5, You can (and should) copy this algorithm from the site of Paul Johnston. The calender 5 () function used by the calculateMD5Value () function is defined in md5.js in detail.

On the server side, we use an asp script named checkpassword. ASP to confirm the user name and MD5 value. The script content is as follows:

<% @ LANGUAGE = "JScript" %>
<! -- # Include file = "md5.inc" -->
<%
Function calculateMD5Value (){
Var pw = "" + Application (Request. Form ("userid "))
Pw + = Session ("sharedValue ")
Return cal1_5 ("" + pw)
}
ClientPassword = Request. Form ("password ")
ServerPassword = calculateMD5Value ()
If (clientPassword = serverPassword) Response. Redirect ("page1.htm ")
Else Response. Redirect ("tryagain.htm ")
%>

The following line indicates that the checkpassword. asp script contains the md5.inc file (on the server side ):

<! -- # Include file = "md5.inc" -->

This file is the md5.js file between the ASP <% and %> mark. Standard ASP languages all contain inc. suffixes.

Another server script describes the calculateMD5Value () function. The Request. Form ("userid") Field returns the user name entered when submitting the table. The User Name returned is used to find the real user password value in an application variable. (If you want to use ASP, you may want to use another method to allow the script to obtain the password in other ways .) Use the pw variable to store the user password. Retrieve the original random value sent to the user from the session variable and attach it to the user password. Then, the function calculates the User Password appended with a random value and returns the result.

Function calculateMD5Value (){
Var

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.