使用javascript加密解密足够安全
这是 javascript 库: jsencryption.js
我想用它来:
- 加密数据我网站中的用户,然后发送到数据库服务器。
- 将加密数据从数据库发送到浏览器客户端,用户输入
密钥
,然后
显示原始数据。
3.数据库不保存密钥,因此更安全。
我想知道这条路是否足够安全,http://www.passpack.com/ 怎么样? en/home/
和 passpack.com
如何保存密码。
谢谢
this is the javascript library: jsencryption.js
i want to use it to :
- Encryption the data of users in my site ,and then send to the database server .
- send the Encrypted data from database to browser-client , the user put the
key
, and
then show the raw data .
3 . the databse not save the key , so it is more safe .
i want to know the way is or not safe enough , what about http://www.passpack.com/en/home/
and How the passpack.com
save the password .
thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您链接到的 jsencryption.js 库声明以下内容
所以,是的,如果密码足够强,这看起来非常安全(除非有人弄乱用户的浏览器或计算机,例如键盘记录器或恶意 Firefox 插件或网站本身破坏脚本)。
The jsencryption.js library you link to claims the following
So, yes, if the password is strong enough this looks to be very secure (unless someone messes with the user's browser or computer, think keylogger or malicious firefox plugin or the site itself undermining the script).
似乎有几种 JavaScript AES-256 加密实现,包括:
在使用其中任何一个之前,您应该使用 AES 测试向量对其进行测试。
hanewin.net
的实现[声称这样做][1]。[1]: - http://www.hanewin.net/encrypt/aes/aes。 htm
但是,我对您的底层设计有一些疑问。你的威胁模型是什么?很多人都考虑过在浏览器中完成加密/解密。但这并不一定更安全,就好像有人闯入服务器一样,他们可以在浏览器的 JavaScript 中设置陷阱。当然,这可以防止有人破坏您的数据库服务器并下载表,但服务器端加密也可以做到这一点。服务器端加密的一大优势是您可以使用 OpenSSL 等受信任的模块,而不必担心 JavaScript 实现的质量。
It seems that there are several JavaScript AES-256 encryption implementations around, including:
Before you use any of these, you should test them with the AES test vectors. The implementation from
hanewin.net
[claims to do so][1].[1]: - http://www.hanewin.net/encrypt/aes/aes.htm
However, I have some questions about your underlying design. What's your threat model? Lots of people have looked at having encryption/decryption done in the browser. But that's not necessarily more secure, as if somebody breaks in to the server they can booby-trap the browser's JavaScript. Certainly this will keep you protected against somebody compromising your database server and downloading the tables, but server-side encryption would do that as well. And the big advantage of server-side encryption is that you can use trusted modules like OpenSSL and not have to worry about the quality of the JavaScript implementations.