Use RSA | AES to encrypt POST requests so that visitors can log on safely!

Source: Internet
Author: User

A while ago, the csdn password was exposed to the Internet, followed by various account and password leaks, which had to be thought-provoking for Internet security.

Although this is not very relevant to today's content, network security is indeed a problem that cannot be ignored.

The following describes how to make transmission safer after a visitor logs on to the website and enters a password.

Before explaining the specific implementation scheme of this method, You have to analyze the common solution and the commonly used solution.

1. General Solution

Generally, a website uses the POST request to directly send the user's account and password to the server. This method is the most traditional and original implementation method. This method is generally secure. If the data is maliciously intercepted during transmission, the post data can be parsed in reverse. This solution is very insecure, especially when you use some proxy servers to log on to the website. The proxy server can intercept post data and extract the account and password from it. If you create another database and save it, it is very easy.

2. advanced solutions

Some website administrators have seen the shortcomings of the first solution and are also worried about the security of the user's account and password. Therefore, they adopt a dual verification method. Connect the user's account and password to MD5 and save it to the database. In fact, I feel that this method does not fundamentally solve the problem of data being intercepted during data transmission. It only improves the security of the server. However, if the data is intercepted during post submission, the server can still be spoofed to complete logon authentication. Therefore, this method does not solve the interception problem during data transmission.

3. Encryption Scheme

The encryption scheme, that is, the solution today. I have discussed this issue with some people before. For some small websites, it is not necessary to use such a complicated solution because it not only takes time to think about this issue, even if a user logs on and authenticates each time, the server requires a huge amount of computing, which is not worth the cost of the site.

The following describes how to implement this solution.

Required knowledge:

1. AES and RSAAlgorithm2. Implementation of RSA, aes php, and JavaScript 3. Ajax background interaction 4. MD5 JavaScript Encryption

 

All of the above can be found on the InternetCodeAnd there are many ideas.

First, load the page. When capturing important data that the user will enter (such as the onchange event), execute Ajax background interaction to send a request to the server and request the RSA public key.

The server returns the RSA public key to the client and saves the private key under the corresponding user in the server database.

The client receives the user's RSA public key and saves it to cookies (as long as it can be saved locally ).

After the user enters the key data to be transmitted, such as the password, click Submit to read the RSA public key stored in the local cookies and encrypt the user data through the client's JavaScript, then send data to the server through the POST request (if there are high security requirements, the MD5 encryption process can be completed on the client through JavaScript, and then the encrypted data after MD5 encryption is directly transmitted ).

The server receives the data encrypted by the RSA public key, reads the temporary RSA private key from the database for decryption, and obtains the decrypted data.

The following is the implementation of the entire process, which is for reference only.

 

The above method provides a solution based on my own. You need to consider the applicable scope.

Original article. Please indicate the source for reprinting. Welcome to the discussion!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.