HarrySun

  博客园 :: 首页 :: 博问 :: 闪存 :: 新随笔 :: 联系 :: 订阅 订阅 :: 管理 ::

Design:

I want to give a general authentication design long time ago.

Now I just sit down and do it.

As dipicted above, we only concern two aspects for security:

  • Network transmission
  • storage on server side

 

1.Network transmission

The best way is alway using SSL. 

Asymmetric encryption is another choice.

1) Every time user needs to login, server generates  privateKey and publickey pair and sends the publicKey to client.

2) Client encrypts sensitive data and send the encrypted data to server.

 

2.storage on server side

1) decrypt the sensitive data to get the original data (don't record the orignal data)

2) use some hash functions to encrypt the sensitive data,such as sha1.

For example:

  • sha(salt$password+secret)
  • md5(md5(password)+salt))
  • sha1(md5(pass)+userID+siteConfigSecret)
  • salt$base64(sha1(pwd))
  • hash255+salt

3) storage the encrypted data

Now even the db administrator can't get the orignal sentive data.

 

By the way, what should we do if user forgets the password.

1) server generates a token associated with the uid. then send it to user's email such as:  http://xxx.com/?reset=xxxxxxxxxxxxxx

2) user clicks the link and is redirected to the reset page. 

 

Impliment:

1.For Network transmission

1) SSL

Pending....

 

2) Asymmetric encryption

Pending...

 

2.storage on server side

Pending....

 

 

 

some of References:

http://www.iamcal.com/publish/articles/security/authentication/

http://www.cnblogs.com/guogangj/archive/2012/03/05/2381117.html

http://sofish.de/2020

 

 

 

 

posted on 2014-01-04 17:13  HarrySun  阅读(207)  评论(0编辑  收藏  举报