Subject to the Web page source code exposure, so the traditional symmetric encryption scheme and encryption key will be exposed in the JS file, the same can be decrypted.
At present, the better solution is to use HTTPS for the entire Web page or user login and other key links.
Another solution is to encrypt through Rsa.
RSA is an asymmetric encryption, that is, the client encrypts through the public key, and the server decrypts it through the private key . RSA algorithm Please click on Baidu Encyclopedia to Understand.
This means that the public key is not decrypted, so it is safe to transmit in Plaintext.
1. Encryption Process
The server generates a set of public and private keys, sends the public key to the client for password encryption, and decrypts it with the Key.
2. Key Generation (NodeJs)
Use Node-rsa primarily to generate RSA public and private keys:
1 import nodersa from ' Node-rsa '; 2 3 Let key=new nodersa ({b:512}); 4 Let Publicder=key.exportkey (' pkcs8-public '); 5 Let Privateder=key.exportkey (' pkcs8-private ');
In general, when the server starts, you can generate a set of keys, and cache them for easy subsequent decryption use!
3. Password encryption (browser Side)
After the client receives the public key, the password is encrypted before the form is submitted:
1Import Nodersa from ' Node-rsa ';2 3 4 varEncryptstr=function(password) {5Let Clientkey =NewNodersa ({b:512});6 varpublickey=localstorage.publickey;//the public key received from the server, cached to the local7 Clientkey.importkey (publickey);8Let encrypted = Clientkey.encrypt (password, ' base64 ');9 returnencrypted;Ten}
The questions to note are:
The client introduces the Node-rsa library to the relative increase of JS file volume, Please be careful to compress the code before going online or replace other smaller RSA class Libraries.
4. Password Decryption (NodeJS)
After a client request is received by the server, the encrypted password is decrypted by the generated private key:
1Import Nodersa from ' Node-rsa ';2 3 4 5Let decryptstr=function(){6Let key=NewNodersa ({b:512});7Let Privateder=await Util.getcache ("rsa.privatecache");//read private key from cache8 if(util.isempty (privateder)) {9Console.log ("get RSA private key Failed!!"));Ten return NULL; one } a Key.importkey (privateder); - if(!key.isprivate ()) {//Verify that the private key is correct -Console.log ("import RSA private key Failed!!")); the return NULL; - } - returnKey.decrypt (pwd, ' UTF8 ');//decryption - } +
rsa-based Web front-end password encryption scheme