I'm currently planning the development of a PHP application that shall require user passwords for external services to be stored so that they can be logged into simultaneously when the user logs into my application.
我目前正计划开发一个PHP应用程序,该应用程序需要存储外部服务的用户密码,以便在用户登录我的应用程序时可以同时登录。
I shall need to store passwords in a secure, i.e. not plain text, and not base64 encoded but that shall also need to be accessible as plain text by the application, one way or another.
我需要将密码存储在一个安全的,即非纯文本中,而不是base64编码,但是也需要以某种方式由应用程序以纯文本形式访问。
I've only been able to think of something like the following:
我只能想到以下内容:
When a user adds their credentials for the external service to their account, they re-enter their password for my application and that (in an encrypted form) is used to 'encrypt' the password for the external service somehow, but in a way that makes it accessible still.
当用户将其外部服务的凭据添加到其帐户时,他们会重新输入我的应用程序的密码,并且(以加密形式)用于以某种方式“加密”外部服务的密码,但是以某种方式让它仍然可访问。
Does anyone have any thoughts on if this is possible, or a potential solution?
有没有人想过这是可能的,还是一个潜在的解决方案?
Thanks
谢谢
Also: it's worth noting that it will be an SSL connection that the data is sent over.
另外:值得注意的是,它将是一个SSL连接,数据是通过它发送的。
Out of curiosity: Say for example; Google Mail, you can add email accounts to your Google Mail account so that all of them are checked. Does anyone have any thoughts on how Google store the passwords for the accounts you add?
出于好奇:比如说; Google Mail,您可以将电子邮件帐户添加到您的Google Mail帐户,以便检查所有帐户。有没有人对Google如何存储您添加的帐户的密码有任何想法?
7 个解决方案
#1
5
The problem with this in general, is if your system is every compromised, the attacker can get all the passwords for all the systems, because they are encrypted and not hashed. There is no way around this, since you want to be able to get the plain-text passwords.
一般来说,问题在于,如果您的系统遭到全部攻击,则攻击者可以获取所有系统的所有密码,因为它们是加密的而不是哈希的。没有办法解决这个问题,因为您希望能够获得纯文本密码。
If you must do this, you can use something well trusted like OpenSSL to encrypt the passwords.
如果必须这样做,您可以使用像OpenSSL这样受信任的东西来加密密码。
#2
2
From a securities stand point, you really should never store a password anywhere. I would have the user enter their password md5 their password and store that. So when he authenticates its authenticated vs the md5. As for the externals. You could take the external password and XOR the external password with the stored md5. That way you could undo it to pass it to the external source. Or the better way would be to ask for the password every time for the externals. This is a choice of risk vs convenience.
从证券角度来看,你真的不应该在任何地方存储密码。我会让用户输入他们的密码md5他们的密码并存储它。因此,当他验证其认证的与md5。至于外部。您可以使用外部密码和外部密码与存储的md5进行异或。这样你可以撤消它以将其传递给外部源。或者更好的方法是每次都要求外部密码。这是风险与便利的选择。
#3
1
Well, you may encrypt the passwords by user's own password (not storing it anywhere), and just ask for it every time the communication is being made, this way the passwords are probably safe.
好吧,您可以通过用户自己的密码加密密码(不要将密码存储在任何地方),每次进行通信时都要求密码,这样密码可能是安全的。
#4
1
GAH... I wish everyone would just standardise on keys:
GAH ......我希望每个人都能在键上标准化:
<?php
$connection = ssh2_connect('shell.example.com', 22, array('hostkey'=>'ssh-rsa'));
$sth = $dbh->prepare('select keyLoc from auth where username = :user');
$sth->bind_param('user', 'username');
$key = $sth->fetch(PDO::FETCH_ASSOC);
if (ssh2_auth_pubkey_file($connection, 'username',
$key,
'/home/username/.ssh/id_rsa', 'secret')) {
echo "Public Key Authentication Successful\n";
} else {
die('Public Key Authentication Failed');
}
?>
It would make life so much easier. Just copy your public key everywhere and keep your private key on you.
它会让生活变得如此简单。只需在任何地方复制您的公钥,并将您的私钥保存在您身上。
#5
1
What you should do instead is to use Oauth - safer and also much more user friendly when it's implemented correctly.
你应该做的是使用Oauth - 更安全,并且在正确实现时更加用户友好。
Zend oauht客户
#6
0
You can use php mcrypt, see relevant question here. Or if you prefer to encrypt/decrypt server side mySQL has a AES encrypt function.
你可以使用php mcrypt,在这里查看相关问题。或者如果您更喜欢加密/解密服务器端,mySQL具有AES加密功能。
#7
0
You might use something like PKIF (specifically PKIFCRYPTO) and NSS or MS-CAPI. It's not for the faint of heart, but you'll want to demonstrate a certain degree of competence to the users who decide to trust you with their credentials.
您可以使用PKIF(特别是PKIFCRYPTO)和NSS或MS-CAPI之类的东西。这不适合胆小的人,但你会想要向那些决定用他们的凭据信任你的用户展示一定程度的能力。
#1
5
The problem with this in general, is if your system is every compromised, the attacker can get all the passwords for all the systems, because they are encrypted and not hashed. There is no way around this, since you want to be able to get the plain-text passwords.
一般来说,问题在于,如果您的系统遭到全部攻击,则攻击者可以获取所有系统的所有密码,因为它们是加密的而不是哈希的。没有办法解决这个问题,因为您希望能够获得纯文本密码。
If you must do this, you can use something well trusted like OpenSSL to encrypt the passwords.
如果必须这样做,您可以使用像OpenSSL这样受信任的东西来加密密码。
#2
2
From a securities stand point, you really should never store a password anywhere. I would have the user enter their password md5 their password and store that. So when he authenticates its authenticated vs the md5. As for the externals. You could take the external password and XOR the external password with the stored md5. That way you could undo it to pass it to the external source. Or the better way would be to ask for the password every time for the externals. This is a choice of risk vs convenience.
从证券角度来看,你真的不应该在任何地方存储密码。我会让用户输入他们的密码md5他们的密码并存储它。因此,当他验证其认证的与md5。至于外部。您可以使用外部密码和外部密码与存储的md5进行异或。这样你可以撤消它以将其传递给外部源。或者更好的方法是每次都要求外部密码。这是风险与便利的选择。
#3
1
Well, you may encrypt the passwords by user's own password (not storing it anywhere), and just ask for it every time the communication is being made, this way the passwords are probably safe.
好吧,您可以通过用户自己的密码加密密码(不要将密码存储在任何地方),每次进行通信时都要求密码,这样密码可能是安全的。
#4
1
GAH... I wish everyone would just standardise on keys:
GAH ......我希望每个人都能在键上标准化:
<?php
$connection = ssh2_connect('shell.example.com', 22, array('hostkey'=>'ssh-rsa'));
$sth = $dbh->prepare('select keyLoc from auth where username = :user');
$sth->bind_param('user', 'username');
$key = $sth->fetch(PDO::FETCH_ASSOC);
if (ssh2_auth_pubkey_file($connection, 'username',
$key,
'/home/username/.ssh/id_rsa', 'secret')) {
echo "Public Key Authentication Successful\n";
} else {
die('Public Key Authentication Failed');
}
?>
It would make life so much easier. Just copy your public key everywhere and keep your private key on you.
它会让生活变得如此简单。只需在任何地方复制您的公钥,并将您的私钥保存在您身上。
#5
1
What you should do instead is to use Oauth - safer and also much more user friendly when it's implemented correctly.
你应该做的是使用Oauth - 更安全,并且在正确实现时更加用户友好。
Zend oauht客户
#6
0
You can use php mcrypt, see relevant question here. Or if you prefer to encrypt/decrypt server side mySQL has a AES encrypt function.
你可以使用php mcrypt,在这里查看相关问题。或者如果您更喜欢加密/解密服务器端,mySQL具有AES加密功能。
#7
0
You might use something like PKIF (specifically PKIFCRYPTO) and NSS or MS-CAPI. It's not for the faint of heart, but you'll want to demonstrate a certain degree of competence to the users who decide to trust you with their credentials.
您可以使用PKIF(特别是PKIFCRYPTO)和NSS或MS-CAPI之类的东西。这不适合胆小的人,但你会想要向那些决定用他们的凭据信任你的用户展示一定程度的能力。