开发者

Simple XOR a message (Javascript/Tcl)?

I need the username/password to be scrambled at the client-side before sending it over via HTTP GET/POST. And the server will decode it with Tcl, before the checks against database.

Currently I'm thinking about using JavaScript for the client-side. Java Applet will also do.

Is there any way, that I can easily achieve it, using Simple XOR or any other methods? (Examples would be much appreciated)

I've found the few samples in C/Python/.NET/Java... Bu开发者_JS百科t not in JavaScript and Tcl.

SSL is not an option to use, sadly.


If ssl is not an option, then I suggest the following scheme, which many sites use instead of SSL:

  1. On the client side, combine the user name and password, then calculate a hash from it (MD5 is a popular choice).
  2. Send the user's name and hash over to the server
  3. On the server side, retrieve the password for that user from the database.
  4. From the user name and password, calculate the hash and compare it with the client's hash. If the two match, then the passwords match.
  5. For added security, add a little random text to the user+password mix. This random text, AKA the "salt", must be known on both the client and server sides.

Here is a suggestion on how to calculate the hash using MD5:

package require md5

proc calculateHash {user password salt} {
    return md5:md5 -hex "$user:$salt:$password"
}

How to use it:

set user "johnny"
set password "begood2mama"
set salt "myDog_is_meaner_than_yourDog"

set hash [calculateHash $user $password $salt]


superNobody,

You should consider alternatives to storing plain-text passwords in the database. See:

  • http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html

Instead of encoding the password in Javascript, then decoding the password in Tcl to compare with the database, you should consider SHA1 hashing in Javascript, and storing SHA1 hashed values in the database.

There are several available examples of a SHA1 hash function in javascript (just Google 'sha1 javascript'). The tcllib Tcl library has SHA1 support.

As HaiVu mentioned, you should also consider hashing / storing more than just a straight password hash, but instead use something like SHA1( username + websitename + password ). You can calculate this on the client in Javascript, and store it in the db.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜