么原因为什么您不应该出于安全目的不执行自己的算法来对ID进行加密

么原因为什么您不应该出于安全目的不执行自己的算法来对ID进行加密

关注
发信
关注(28)粉丝(399)

有什么原因为什么您不应该出于安全目的不执行自己的算法来对ID进行加密?

本文介绍了有什么原因为什么您不应该出于安全目的不执行自己的算法来对ID进行加密?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我计划实施自己的非常简单的哈希"操作,为具有多个用户的应用添加一层安全保护的公式.我目前的计划如下:

I am planning to implement my own very simple "hashing" formula to add a layer of security to an app with multiple users. My current plan is as follows:

  1. 用户创建一个帐户,在该帐户上在后端生成ID.ID是通过公式运行的(例如ID * 57 + 8926-36 * 7,或者同样随机的东西).然后,我将新的用户ID和新的已散列"邮件发送回前端.数字并将其存储在 localStorage 中.
  2. 用户尝试访问安全区域(例如设置页面,以便他们可以更改自己的设置).
  3. 我向后端发送了两个值:它们的ID和哈希值.我通过相同的公式运行ID,以检查它是否与我收到的哈希值匹配.如果检查通过,则他们可以进入.因此,如果有人尝试在 localStorage 中更改其ID以访问另一个用户的设置页面,则他们唯一能实现的方法就是猜测公式是什么.他们可以很容易地猜出一个用户ID,但是猜测相应的数字是ID * 57 + 8926-36 * 7的结果.
  1. User creates an account at which point an ID is generated on the backend. The ID is run through a formula (let's say ID * 57 + 8926 - 36 * 7, or something equally random). I then send back to the frontend the new user ID and the new "hashed" number and store them in localStorage.
  2. User tries to access a secured area (let's say a settings page so they can change their own settings).
  3. I send the backend two values: their ID and the hashed number. I run the ID through the same formula to check it matches the hashed value I've received. If the check passes, they can get in. So if someone has tried, say, changing their ID in localStorage to get access to another user's settings page, the only way they could achieve that is if they guess what the formula was. They could easily guess a user ID, but guess that the corresponding number is the result of ID * 57 + 8926 - 36 * 7 seems pretty unlikely.

我正在执行此操作,因为它比实际查找哈希值的数据库查找要快/便宜得多...我认为呢?使用程序包创建某种主键/uuid而不是散列"代码会更有意义吗?我自己的值,每次都进行数据库查找?

I'm doing this because it would be quicker/cheaper than a db lookup for an actual hashed value... I think? Would it make more sense to use a package to create some kind of primary key/uuid instead of "hashing" my own value and doing a db lookup each time?

技术堆栈:在FE,Python在BE,SQL数据库上进行反应.

Tech stack: React on FE, Python on BE, SQL db.

推荐答案

这是您缺少的真实哈希的两个属性

Two property of real hashes that you are missing with this are

  • 输入的简单变化会导致输出的大变化
  • 所有散列的长度相同

如果用户以某种方式知道自己的ID和哈希值,则可能会出现问题.使用您自己制作的哈希,通过反向生成哈希,我可以轻松找出随机的其他用户的哈希.

This could be a problem if a user somehow knows their own id and hash.With your selfmade hash I could easily find out the hash of a random other user by reverse engeniering the hash.

这篇关于有什么原因为什么您不应该出于安全目的不执行自己的算法来对ID进行加密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-10 22:49
Powered by LMLPHP ©2025 么原因为什么您不应该出于安全目的不执行自己的算法来对ID进行加密 0.035341