User login is the basic function of any application system, especially for the online banking system, the security of user login is particularly important. How to design a secure login authentication program for a website is the main issue discussed in this article.
There are many security risks in static passwords. Attackers have many means to obtain static passwords, and managing passwords also has high costs . " Dynamic password lock " or " USB Key " can solve this problem better, but it will bring the cost of the encryption lock. Without increasing the hardware cost, we can also use some design skills and measures to a certain extent. Guarantee the identity of the logged in person.
1. Client-side and server-side security
The security of the client is mainly the security of the user's password itself (password length and complexity, etc.) and the security of the user's computer, including that the user's computer is not installed with hacker Trojan software, the login program is not loaded and debugged by a third-party program, and the user's input box is organized. Keyboard Hook programs, etc., can be solved with some code.
The security of the server side includes the security of the server itself (system vulnerabilities, etc.) and the security of program design. Here I mainly talk about the security of program design. The most basic problem is that the user's password should not be stored directly on the server's database, nor should the password be encrypted with a single-key algorithm and stored. The most basic authentication method is to authenticate the password through a one-way hash function. In the article " Software Encryption Technology and Registration Mechanism ", some one-way hash functions are introduced to achieve simple authentication. At present, most websites use the MD5 function for login authentication, but I recommend using the more secure SHA1 hash function for login authentication.
2. Security on network transmission
The current network protocol communicates through the HTTP protocol, which has great security risks. Hackers can use the SNIFFER tool to capture and analyze network data packets. Therefore, the transmission of user names and passwords should be transmitted in non-clear text. key cryptography" concept.
Anyone who has studied basic " cryptography " should know the concept of "public key algorithm (also called asymmetric algorithm, double key algorithm)", that is, the key used for encryption is different from the key used for decryption, and The decryption key cannot be calculated from the encryption key.
The encrypted transmission process is divided into two parts, one part is identity authentication, the user identifies the authenticity of the user; the other part is data encryption, which is used for data confidentiality. Both of these functions require the use of asymmetric encryption technology.
The first is identity authentication. The communication data can be processed in this way. The user's information (username, password, etc.) is encrypted with the user's private key, and then transmitted, and the user's public key is saved on the server side. Decrypt the transmitted information with the user's public key to obtain the correct plaintext, thus completing a secure network communication.
An example of the communication process is shown in the figure below. Alice encrypts the plaintext with her private key and transmits it to the server. Users on the server (such as Bob) have public keys of many users, so Alice's public key is used to decrypt the ciphertext. , if the key is correct, the plaintext can be decrypted, and the identity authentication of Alice is completed.
Then there is data encryption. Data encryption and data authentication are just the opposite. The receiver's public key is used to encrypt the data. During transmission, even if the data is intercepted by hackers, these ciphertexts cannot be used. After the receiver receives the ciphertexts, Decrypt the ciphertext with your own private key, thus completing an encrypted transmission of data.
An example of the communication process is shown in the figure below. Alice needs to send a piece of encrypted information to Bob, so Alice encrypts the plaintext with Bob's public key and transmits it to Bob. After Bob receives the information, he uses his own private key to pair the ciphertext. After decryption, the plaintext can be decrypted, and the decryption process of the ciphertext sent by Alice is completed.
The current public key algorithms mainly include RSA and ECC. RSA is an older algorithm, based on the decomposition of large prime numbers, and its speed is slower. ECC (elliptic curve) is the latest public key encryption algorithm, based on discrete logarithm calculation, which is faster than RSA. Fast, the security is said to be higher.
Of course, the above-mentioned technologies are only the most basic identity authentication technologies, and are only suitable for general website applications. For e-commerce and banks, more complex and authoritative security authentication systems are required. The most popular one is PKI technology. PKI (Public Key Infrastructure) is a new security technology, which is composed of basic components such as public key cryptography, digital certificates, certificate authority (CA) and public key security policies. PKI technology has been widely used in e-government and e-commerce, and proved to be the best solution to ensure the security of Internet-based e-government and e-commerce. A complete PKI construction requires a lot of capital and manpower to complete, so I won't introduce it here.