background
Scan Log is safe, but basically we use are based on micro-channel, you need to apply for the development platform.
For a large number of internal systems, such as process management systems, internal mail, various management background, now we have adopted the basic password, relatively out of site staff in the company's internal Web site but will use weak passwords.
Internal system of weak passwords poses serious threat: data leakage, backstage rights, and internal systems are often less parity, more likely to be webshell mention the right.
product manual
In this context I have been pondering doing an open source project, I was just some cryptography background, this project has commenced, and if they meet the needs of everyone hopes enthusiastically message, I more motivated to do so.
Features
- The main course is scanning for secure login, what sweep? Micro-channel scan (micro-channel modulation applets), or app. I will provide small programs and cross-platform app, ios is already live.
- Web site self-service access, does not need any third party opened, and the difficulty of access to the site is very low
- When a user logs can be swept away
- Support the development of a registered type of website, support is not open registration sites
- Pc only support Web site, follow-up may be authorized to do app Login
Verification process
- Generating a pair of public and private key access a Web site
- Website login page using the sdk to generate a two-dimensional code, a two-dimensional bar code includes: short period of time only random data timestamp data + + + website public website information (such as site name) + app after callback url + will be authorized to use the site private key pair in front of the information signature for registration website is not open to bring in the url assigned to the user in the identity id
- After the two-dimensional code scanning app, to verify the signature two-dimensional code, and then compare sites and public key information is not already exist locally, there is a direct to step 4, left for the first time binding process does not exist (for development registration site called registration) to record the site information site + public key and a private key to generate a client public save one pair
- After the client's private key to sign the random data to obtain the two-dimensional code in the signature timestamp + + + plus app user public key information (picture etc. nickname) = data, then use the website public key data is encrypted, the encrypted the data comes in the first step of authorizing the callback url to access the url.
- After the site receives data from Step 4, to use your own private key to decrypt the data, look at the client's public key can verify the signature of a client sent me, and then verify the data is not logged within a period of time, verification look at this public key by then is not it already exists in the database, there is no explanation for the first time login, existing secondary logon, using the same random number to verify data through web site after successful login cookie sent by the client
to sum up
Function itself is not complicated, mainly with an asymmetric public key to verify the signature private key, and asymmetric public key encryption private key to decrypt.
In the design, the defense of the attacks:
- Site fishing, two-dimensional code callback url site uses the private key signature to prevent tampering callback url
- Replay attack, the checking step 5 is the first step in the generation of random data, only a short time
- Middle attacks can be prevented with the app server's own man in the middle attacks, but the communication between the browser and the server still need to go https
Please leave a message if you want to use, if you feel that where there is more security vulnerabilities please leave a message
