Authenticate without using a server

十年热恋 提交于 2019-12-08 07:52:59

问题


I'm looking for ideas to authenticate a user without the usual trip to a server. Any semi-secure way of authenticating a user on the client side is acceptable.

I'm think of storing some encrypted secret in a js file, then only users that have the correct code will be able to decrypt it, and the correct code can be either entered or stored in a cookie or something. Sound good, or any other ideas?


回答1:


Take a look at oauth by client side javascript. Search google for 'oauth client side only'.

For example, this - https://developers.google.com/accounts/docs/OAuth2UserAgent




回答2:


I'm think of storing some encrypted secret in a js file, then only users that have the correct code will be able to decrypt it, and the correct code can be either entered or stored in a cookie or something.

What you're asking for is definitely possible, but I'm not sure it will actually be useful to you.

You need to use a key-derivation function like PBDFK2 ("Password-Based Key Derivation Function 2"). The user enters a password, then the KDF transforms the password into a key. Then, you use the key to operate a strong symmetric cipher like AES (and make sure you use a secure mode of operation like CBC). This approach is reasonably secure, but it's still vulnerable to key loggers (OS-level and browser-level) and memory-state examination.

The important point here is that the user must enter a password in order to encrypt the secret in the first place. You can't send the user a secret and then demand a password. The user can use a password to encrypt a message and then have the system require that same password later for future access.

Alternatively, you could choose the password yourself, generate the key and encrypted data, and then send your chosen password (along with the encrypted data) to the user to remember or store securely.

Practically speaking, CryptoJS is a JavaScript implementation that supports both AES and PBKDF2.




回答3:


Maybe you can store a hash of a password and encrypt the sensible application JS source code, in order to evaluate it when the user is "authenticated" with the correct key ?

See this article about Google's method about javascript processing. Use an encrypted javascript string source code, and you are client-sided secure ?



来源:https://stackoverflow.com/questions/21005450/authenticate-without-using-a-server

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!