本文介绍了重置密码ASP.NET - 安全问题?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我已经看到了对这个问题的各种问题,但有没有被问了几个问题。如果用户忘记了密码,我希望他们能够只用他们的电子邮件地址复位(即有没有安全问题/答案)。密码存储为盐腌哈希,所以没有复苏可能。相反,我只是想在用户确认他们已请求复位后,输入新密码。

I've seen various questions regarding this issue, but there are a couple of questions that haven't been asked. If the user forgets their password, I would like them to be able to reset it with only their email address (i.e. there's no security question/answer). The password is stored as a salted hash, so there's no recovery possible. Instead, I'd just like the user to enter a new password after confirming that they have requested a reset.

这是被提及的常用方法是简单:

1)创建一个随机的Guid /强加密随机数

1) Create a random Guid/Cryptographically strong random number

2)发送包含该随机数给用户的电子邮件的唯一URL
  地址

2) Send a unique URL containing the random number to the user's email address

3)当确认后,系统会要求用户更改密码

3) When confirmed, the user is asked to change password

然而,这不就是开出了 MITM 攻击?如果发送的临时密码在互联网上的电子邮件是不安全的,什么是这样做,并简单地发送一个唯一的URL,攻击者可以浏览到有什么区别?
我错过了关键的一步的地方,将让这个系统更安全(或者是有重置密码的更好的方法)?

However, isn't this open to a MITM attack? If sending a temporary passwords over the internet to an email is insecure, what's the difference between doing that and simply sending a unique URL which the attacker can navigate to?Have I missed a key step somewhere that will make this system more secure (Or is there a better way of resetting the password)?

感谢

推荐答案

如果你正确地构建您的哈希,点击该网址将有来自请求该复位的IP地址。这就要求中间人欺骗的IP和/或伪造头。虽然这是可能的,更独特的可识别的散列到系统中的问题,越难以变得最终围绕散列

If you construct your hash correctly, the url click will have to come from the IP address that requested the reset. This would require the MITM to spoof the IP and/or falsify headers. While this is possible, the more unique you can identify the hash to the system in question, the more difficult it becomes to "end-around" the hash.

此外,还建议该GUID是特定条件的单向散列。另外,也可以使用公开密钥,一个私有密钥解锁以便被点击链接时,这个同样的公共加密系统数据必须伴随散列在请求加密系统数据,和可以解密这些值是唯一的系统将是在服务器持有的私钥。基本上是一个伪PKI附件哈希。

It is also recommended that the guid be a one-way hash of certain criteria. It is also possible to encrypt system data in the request using a public key that a private key unlocks so that when the url is clicked, this same public encrypted system data must accompany the hash, and the only system that could unencrypt these values would be the private key held at the server. Basically a psuedo-PKI attachment to the hash.

这篇关于重置密码ASP.NET - 安全问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-24 17:24
查看更多