Sometimes HTTPS is not enough. Specially when we are talking about protecting user data from troyans with access at winsock32 level where they can sniff https in plain text or BHOs objects that already have access to the decrypted posted data in the browser memory.
有时HTTPS还不够。特别是当我们谈论保护用户数据来保护特洛伊人在winsock32级别访问时,他们可以在纯文本中嗅探https或者已经可以访问浏览器内存中已解密发布数据的BHO对象。
In this scenario, I have developed a javascript -> classic asp client server routine, in wich the javascript encrypts and send the data received and decrypted by ASP. It works very fine.
在这种情况下,我开发了一个javascript - >经典的asp客户端服务器例程,其中javascript加密并发送由ASP接收和解密的数据。它工作得非常好。
This solution was built with xICE encryption wich offers a good compatibility between javascript and PHP or ASP. But now I'm migrating to ASP.NET or to Java and there's no port for these environments in XICE.
这个解决方案是用xICE加密构建的,它提供了javascript和PHP或ASP之间的良好兼容性。但现在我正在迁移到ASP.NET或Java,而且XICE中没有这些环境的端口。
¿Any suggestion?
3 个解决方案
#1
Depending on the JavaScript library, it may be easy enough to port to C#, though you will probably want to run through and refactor it a bit. One of the best ways to learn a language is porting a library to it. Otherwise, there are plenty of implementations in JS for AES, and others. Many of these are optimized for ActionScript and JavaScript (some minor differences from EcmaScript proper).
根据JavaScript库的不同,移植到C#可能很容易,但您可能希望运行并稍微重构一下。学习语言的最佳方法之一是将库移植到其中。否则,JS中有很多用于AES和其他的实现。其中许多针对ActionScript和JavaScript进行了优化(与EcmaScript本身存在一些细微差别)。
#2
I had never heard of xICE, so I tried to search for more information. All I found was information published by the company, and an article about an algorithm called "ICE" that isn't clearly related. I couldn't locate information about the algorithms used by xICE. The information I found was 4 to 5 years old.
我从未听说过xICE,所以我试图搜索更多信息。我发现的只是该公司发布的信息,以及一篇关于称为“ICE”的算法的文章并没有明确的相关性。我无法找到有关xICE使用的算法的信息。我发现的信息是4到5岁。
All of these signs are consistent with "snake oil" cryptography. You are unlikely to find any reputable provider of a compatible library for another platform.
所有这些迹象都与“蛇油”密码学一致。您不太可能为其他平台找到任何信誉良好的兼容库提供商。
I'd recommend using a well-known algorithm, such as AES. Free JavaScript implementations to support client-side cryptography are available. Personally, I like the transparency of "JavaScrypt" (as well as the credo of its author), but there are other implementations that might be faster.
我建议使用众所周知的算法,例如AES。可以使用免费的JavaScript实现来支持客户端加密。就个人而言,我喜欢“JavaScrypt”的透明度(以及作者的信条),但还有其他实现可能更快。
A solution like this provides better cryptography and easier integration with other platforms—for free.
像这样的解决方案可以免费提供更好的加密技术,并且更容易与其他平台集成。
#3
Fundementally, SSL is enough. Or rather, as good as you can get.
有趣的是,SSL就足够了。或者说,尽可能好。
Anything that a client can see, via JavaScript or otherwise, can be seen by *s and such on the client.
客户端可以通过JavaScript或其他方式查看的任何内容都可以通过特洛伊木马等在客户端上看到。
Any JavaScript encryption is security by obscurity.
任何JavaScript加密都是默默无闻的安全措施。
#1
Depending on the JavaScript library, it may be easy enough to port to C#, though you will probably want to run through and refactor it a bit. One of the best ways to learn a language is porting a library to it. Otherwise, there are plenty of implementations in JS for AES, and others. Many of these are optimized for ActionScript and JavaScript (some minor differences from EcmaScript proper).
根据JavaScript库的不同,移植到C#可能很容易,但您可能希望运行并稍微重构一下。学习语言的最佳方法之一是将库移植到其中。否则,JS中有很多用于AES和其他的实现。其中许多针对ActionScript和JavaScript进行了优化(与EcmaScript本身存在一些细微差别)。
#2
I had never heard of xICE, so I tried to search for more information. All I found was information published by the company, and an article about an algorithm called "ICE" that isn't clearly related. I couldn't locate information about the algorithms used by xICE. The information I found was 4 to 5 years old.
我从未听说过xICE,所以我试图搜索更多信息。我发现的只是该公司发布的信息,以及一篇关于称为“ICE”的算法的文章并没有明确的相关性。我无法找到有关xICE使用的算法的信息。我发现的信息是4到5岁。
All of these signs are consistent with "snake oil" cryptography. You are unlikely to find any reputable provider of a compatible library for another platform.
所有这些迹象都与“蛇油”密码学一致。您不太可能为其他平台找到任何信誉良好的兼容库提供商。
I'd recommend using a well-known algorithm, such as AES. Free JavaScript implementations to support client-side cryptography are available. Personally, I like the transparency of "JavaScrypt" (as well as the credo of its author), but there are other implementations that might be faster.
我建议使用众所周知的算法,例如AES。可以使用免费的JavaScript实现来支持客户端加密。就个人而言,我喜欢“JavaScrypt”的透明度(以及作者的信条),但还有其他实现可能更快。
A solution like this provides better cryptography and easier integration with other platforms—for free.
像这样的解决方案可以免费提供更好的加密技术,并且更容易与其他平台集成。
#3
Fundementally, SSL is enough. Or rather, as good as you can get.
有趣的是,SSL就足够了。或者说,尽可能好。
Anything that a client can see, via JavaScript or otherwise, can be seen by *s and such on the client.
客户端可以通过JavaScript或其他方式查看的任何内容都可以通过特洛伊木马等在客户端上看到。
Any JavaScript encryption is security by obscurity.
任何JavaScript加密都是默默无闻的安全措施。