GWT/GWT-Ext 中密码字符串的 md5 哈希值?

发布于 2024-07-29 20:19:27 字数 747 浏览 14 评论 0原文

我目前正在尝试修改现有的 GWT-Ext 应用程序,该应用程序在其 MySql 数据库中使用纯文本密码。

我的计划是使用 md5 哈希值,因为可以使用 MySql 函数轻松更改现有密码,并且我希望为 GWT-Ext 端找到一个简单的解决方案。 但据我发现,GWT 不支持 java.security,并且似乎没有任何其他实现可用于将密码字符串更改为客户端的 md5 哈希值。

到目前为止,我找到的唯一“解决方案”是通过 JSNI 重新实现 md5 方法,如下所述: http://groups.google.com/group/Google- Web-Toolkit/browse_thread/thread/ad09475a9944c9f8

Ext-JS 有一个现有的用户扩展,但我找不到 GWT-Ext 的任何内容: http://extjs.com/forum/showthread.php?p=133516

有人知道解决这个问题的更优雅/简单的方法吗? 也许我应该使用其他东西而不是 md5 来确保密码被加密?

干杯 坦率

I am currently trying to modify an existing GWT-Ext application, that is using plain text passwords in its MySql database.

My plan was to use md5 hashes, as the existing passwords can be easily altered with the MySql function and I was expecting to find an easy solution for the GWT-Ext side as well. But as I found out, java.security is not supported by GWT and there doesn't seem to be any other implementation that can be used to change the password string to a md5 hash on client side.

Only "solution" I found so far, is to re implement a md5 method via JSNI as described here:
http://groups.google.com/group/Google-Web-Toolkit/browse_thread/thread/ad09475a9944c9f8

There is an existing user extension for Ext-JS, but I couldn't find anything for GWT-Ext:
http://extjs.com/forum/showthread.php?p=133516

Does anybody know a more elegant/simple way to solve this problem? Maybe I should use something else instead of md5 to make sure the passwords are encrypted?

Cheers
Frank

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

爱你不解释 2024-08-05 20:19:28

您需要 gwt-crypto。 它包括许多标准的加密内容。

You want gwt-crypto. It includes lots of standard crypto stuff.

荒岛晴空 2024-08-05 20:19:27

就我个人而言,我会说你这样做是错误的。 我不会在客户端对密码进行哈希处理(这就是 GWT)。 如果您对密码进行哈希处理,那么您无疑需要对其进行加盐,否则您将容易受到 rainbow 的影响 攻击。 如果您在客户端对它进行哈希+加盐,则您的用户将可以访问您的盐。

如果我是你,我会在服务器端对你的密码进行哈希+盐处理。 这将允许您使用标准 Java 代码来执行 MD5 哈希。

我的2分钱。

-J.P

Personally, I would say you're doing it wrong. I wouldn't hash a password on the client side (which is what GWT is). If you hash your password, you will undoubtedly want to salt it, otherwise you will be susceptible to rainbow attacks. If you hash + salt it on the client side, your salt will be accessible to your users.

If I were you, I would hash + salt your password on the server side. This will allow you to use your standard Java code to perform your MD5 hash.

My 2 cents.

-JP

请帮我爱他 2024-08-05 20:19:27

另一个可能满足您需求的想法是所谓的零知识身份验证。 (即服务器永远不需要知道用户的纯文本密码。)

基本上,在设置初始密码时,客户端会对用户密码进行 N 次哈希处理(其中 N 是一个较大的数字,如 1000),然后将最终哈希发送到服务器存储哈希值和 N。

稍后,当用户想要进行身份验证时,服务器告诉客户端 N-1,客户端对用户输入 N-1 次的密码进行哈希处理,然后将其发送到服务器服务器。 服务器对收到的哈希值再执行 1 次哈希操作,并(希望)获得存储的哈希值。 然后服务器存储 N-1 哈希值和 N-1 数字。

每次用户进行身份验证时,服务器都会减少存储的 N 并保存之前的哈希值。

当N减至0时,用户必须选择并设置新密码。

服务器必须确保它永远不会请求相同的迭代,否则很容易受到重放的影响。 您无法真正从客户端强制执行该条件,因为客户端(尤其是浏览器)无法可靠地跟踪最后 N。

Another idea that may fit your need is something called zero knowledge auth. (Ie. the server never needs to know the user's plain text password.)

Basically, when setting the initial password, the client hashes the user's password N times (where N is a largish number like 1000), and then sends that final hash to the server along with N. The server stores the hash and N.

Later, when the user wants to authenticate, the server tells the client N-1, and the client hashes the password the user types N-1 times and sends that to the server. The server does 1 more hash on the received hash, and (hopefully) gets the stored hash. The server then stores the N-1 hash and N-1 number.

Each time the user authenticates, the server decrements the stored N and saves the previous hash.

When N gets down to 0, the user must choose and set a new password.

The server must ensure that it never asks for the same iteration, otherwise it is vulnerable to a replay. You can't really enforce that condition from the client side because the client (especially a browser) can't reliably keep track of the last N.

情域 2024-08-05 20:19:27

您永远不应该使用 md5 或其他哈希函数进行密码加密。 请参阅http://codahale.com/how-to-safely-store-a -密码/

You should never use an md5 or other hash functions for password encryption. See http://codahale.com/how-to-safely-store-a-password/

佼人 2024-08-05 20:19:27

您可以使用 gwt-crypto 生成 SHA-1 在客户端使用以下哈希值:

String getSHA1for(String text) {
  SHA1Digest sd = new SHA1Digest();
  byte[] bs = text.getBytes();
  sd.update(bs, 0, bs.length);
  byte[] result = new byte[20];
  sd.doFinal(result, 0);
  return byteArrayToHexString(result);
}

String byteArrayToHexString(final byte[] b) {
  final StringBuffer sb = new StringBuffer(b.length * 2);
  for (int i = 0, len = b.length; i < len; i++) {
    int v = b[i] & 0xff;
    if (v < 16) sb.append('0');
    sb.append(Integer.toHexString(v));
  }
  return sb.toString();
}

You can use gwt-crypto to generate SHA-1 hashes on the client side using:

String getSHA1for(String text) {
  SHA1Digest sd = new SHA1Digest();
  byte[] bs = text.getBytes();
  sd.update(bs, 0, bs.length);
  byte[] result = new byte[20];
  sd.doFinal(result, 0);
  return byteArrayToHexString(result);
}

String byteArrayToHexString(final byte[] b) {
  final StringBuffer sb = new StringBuffer(b.length * 2);
  for (int i = 0, len = b.length; i < len; i++) {
    int v = b[i] & 0xff;
    if (v < 16) sb.append('0');
    sb.append(Integer.toHexString(v));
  }
  return sb.toString();
}
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文