On the application of users ' registration of mobile Internet application of non-reversible encryption for security consideration

Source: Internet
Author: User

Mobile Internet applications today generally use a user registration mechanism to enhance user stickiness.

So for safety design. How should the user's password be transmitted? How to save in the cloud? I've been thinking about this for a long time. Summarize some of the following ideas. Mainly related to the use of non-reversible encryption principle.


If the user's registration/login process is carried out in a completely safe environment, you can design very easy: Register is to set the password directly saved, login is directly compared to password.

This process does not involve any encryption technology.

However, in practical applications. The entire process may be in an unsafe environment, such as the preservation of password system may be hacked, password transmission may be intercepted by hackers ...

。 In such an environment, how can you guarantee that your login process will not be disguised by other practical people? How does password not leak?


The following is the delivery of the password and the information derived from it (I call it trust information) during the registration and login process:

Note:

Mobile App Cloud Server
Password----> Transmission----> Durable storage

Login:

Mobile App Cloud Server

Password----> Transmission----> Comparison with persistent information


Because of the non-security of the delivery process, the pass-through steps for each more information. One more chance of information disclosure. In order to ensure the security of trust information, it is necessary to ensure that the transfer process of trust information is irreversible. such as hash encryption algorithm (such as md5,sha1,sha256, PBKDF2, bcrypt, etc.) can achieve this goal.

These algorithms ensure that upstream information (such as password) cannot be extrapolated from downstream information. In addition, such algorithms can ensure that the same input and parameters are calculated to get the same output, so that the cloud can compare the results of the two sides to determine whether the original information (such as password) is the same. To achieve the user authentication effect.

So, in terms of the above scenario. How do I encrypt the password at every link (e.g. transfer/save)?

Simply put, the user entered password at the time of the registration. The ability to do hash encryption first. After the network transfer, cloud Server received, and then do a hash encryption. And then save them. The process of logging in is similar to the information that cloud server Gets or uses after several (here is 2) hash encryption results.


By contrast, there's a lot of article attention right now, but the process of password to cloud server after hashing.

In fact, a complex system may have multiple risk-of-exposure links, so it needs to be one by one identified and add the necessary hash encryption steps.

In detail, such as the above register or login process, assume that only a first-level hash encryption. Although the effect of protecting the original password is achieved. But there is still a security risk: Assuming that the cloud is encrypted before it is saved, the transfer process still uses password plaintext. There is a risk of leakage.

The inverse assumes that the hash is encrypted before transmission, once the hash has been compromised. Then easy is forged login:.


To summarize:

In the process of transferring trust information from a high trust domain to a low trust domain, the non-reversible hash encryption process can effectively control the high trust level of information that spreads directly to the lower trusting domain. Suppose there are multiple levels of such a scenario in a system. That should be done more than once using irreversible encryption.


Note:
1) The above mentioned one irreversible cryptographic processing does not mean that it can only be a hash encryption algorithm iteration. In fact, in order to increase the strength of the algorithm, it is sometimes possible to use a very multiple hash encryption algorithm iteration.
2) in irreversible encryption processing, it is often necessary to add salt value. In order to resist the Rainbow watch attack, there is no specific elaboration here.


On the application of users ' registration of mobile Internet application of non-reversible encryption for security consideration

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.