On the application of users ' registration of mobile Internet application of non-reversible encryption for security consideration

Mobile Internet applications today generally use a user registration mechanism to enhance user stickiness.

So for safety design. How should the user's password be transmitted? How to save in the cloud? I've been thinking about this for a long time. Summarize some of the following ideas. Mainly related to the use of non-reversible encryption principle.

If the user's registration/login process is carried out in a completely safe environment, you can design very easy: Register is to set the password directly saved, login is directly compared to password.

This process does not involve any encryption technology.

However, in practical applications. The entire process may be in an unsafe environment, such as the preservation of password system may be hacked, password transmission may be intercepted by hackers ...

。 In such an environment, how can you guarantee that your login process will not be disguised by other practical people? How does password not leak?

The following is the delivery of the password and the information derived from it (I call it trust information) during the registration and login process:

Note:

Mobile App Cloud Server
Password----> Transmission----> Durable storage

Login:

Mobile App Cloud Server

Password----> Transmission----> Comparison with persistent information

Because of the non-security of the delivery process, the pass-through steps for each more information. One more chance of information disclosure. In order to ensure the security of trust information, it is necessary to ensure that the transfer process of trust information is irreversible. such as hash encryption algorithm (such as md5,sha1,sha256, PBKDF2, bcrypt, etc.) can achieve this goal.

These algorithms ensure that upstream information (such as password) cannot be extrapolated from downstream information. In addition, such algorithms can ensure that the same input and parameters are calculated to get the same output, so that the cloud can compare the results of the two sides to determine whether the original information (such as password) is the same. To achieve the user authentication effect.

So, in terms of the above scenario. How do I encrypt the password at every link (e.g. transfer/save)?

Simply put, the user entered password at the time of the registration. The ability to do hash encryption first. After the network transfer, cloud Server received, and then do a hash encryption. And then save them. The process of logging in is similar to the information that cloud server Gets or uses after several (here is 2) hash encryption results.

By contrast, there's a lot of article attention right now, but the process of password to cloud server after hashing.

In fact, a complex system may have multiple risk-of-exposure links, so it needs to be one by one identified and add the necessary hash encryption steps.

In detail, such as the above register or login process, assume that only a first-level hash encryption. Although the effect of protecting the original password is achieved. But there is still a security risk: Assuming that the cloud is encrypted before it is saved, the transfer process still uses password plaintext. There is a risk of leakage.

The inverse assumes that the hash is encrypted before transmission, once the hash has been compromised. Then easy is forged login:.

To summarize:

In the process of transferring trust information from a high trust domain to a low trust domain, the non-reversible hash encryption process can effectively control the high trust level of information that spreads directly to the lower trusting domain. Suppose there are multiple levels of such a scenario in a system. That should be done more than once using irreversible encryption.

Note:
1) The above mentioned one irreversible cryptographic processing does not mean that it can only be a hash encryption algorithm iteration. In fact, in order to increase the strength of the algorithm, it is sometimes possible to use a very multiple hash encryption algorithm iteration.
2) in irreversible encryption processing, it is often necessary to add salt value. In order to resist the Rainbow watch attack, there is no specific elaboration here.

On the application of users ' registration of mobile Internet application of non-reversible encryption for security consideration