博客探讨了在无法使用SSL的情况下,如何解决应用程序中法官账户的安全认证问题。提出使用公钥加密技术,通过每个用户拥有公共和私钥对,以消除对密码的需求。当用户发送消息时,使用其私钥加密,服务器用对应的公共钥解密验证用户身份。这种方法可以创建一个信任网络,法官验证新用户的公钥来确保安全性。
I have a central admin instance of an app where judge accounts are created. In order to use this judge account, a judge instance of the app from another computer needs to authenticate with the central admin. A user instance of the app will send something to the admin, who will push it off to one of the judges.
My problem is how I can authenticate a judge. If I simply send the password, it can be sniffed (since all of these instances are required to be on the same network).
I'm not sure if using SSL would help, but even if it does, I can't use it (I have no control over this).
解决方案
You could use something like pgp here. So you would use some public key stuff. That would eliminate the need for a password altogether.
With public key encryption every user has a public key and a private key. Stuff that is encrypted with one key, can only be decrypted with the other key. So you can hand out the public public key. If someone wants to send something to you, he can use your public key to encrypt the message, and only you can decrypt it.
So messages to the server would be encrypted with the users private key. He sends the message and his public key. You can have a database lookup on the server side if you know this public key. and if you can decrypt the message with that key, you know that it is sent by that user.
With some work, you probably could use that to identify and authenticate users.
You would just use the judges to vouch for any new user and his public key, when they first talk to the server. So you can create a web of trust.
扫一扫
349
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
