问题描述
当用户登记在我们的网站,我们检查一个地址验证服务的地址。如果输入的地址找到,但有一些错误,该服务可以返回一个地址建议。此sugggestion被返回给用户。
用户可以接受的建议和可信。如果他改变了他的地址不被信任。
有没有检查是否显示给用户的数据是相同的,因为他的职位数据的好办法?我想我需要一个隐藏字段与addressdata的哈希值。但我不舒尔我应该采取哪种算法。该算法应该是情况下,如果可能的不敏感。
该算法应该创建一个防篡改的单向哈希值。
编辑:
这工作pretty好为止。我仍然有umlaute测试(A,U)。
的StringBuilder addressData =新的StringBuilder();
addressData.Append(名字);
addressData.Append(姓氏);
addressData.Append(StreetNumber);
addressData.Append(StreetName);
addressData.Append(市);
addressData.Append(CountryISO);
addressData.Append(邮编);
。字符串stringVal = addressData.ToString()ToLower将(); System.Text.ASCIIEncoding编码=新System.Text.ASCIIEncoding();
字节[] = keyByte encoding.GetBytes(ApplicationConfiguration.ShaKey);
字节[] = messageBytes encoding.GetBytes(stringVal); HMACSHA256 hmacsha256 =新HMACSHA256(keyByte);
字节[] = hashmessage hmacsha256.ComputeHash(messageBytes);
字符串哈希= ByteToString(hashmessage); 返回哈希
使用的 - HMACs被发明为precisely这一目的;用对称密钥验证数据。我不熟悉.NET自己,但标准库似乎提供了很多这样的类从的。 HMAC是比一个普通的哈希更好,因为它是不容易的散长度扩展攻击的
看起来像一个很好的候选
您也应该考虑增加一个字符串,如果要prevent prevent重放攻击 - 否则,用户可以的重发的与随行早期HMAC签名较早的电子邮件
在HMAC密钥必须是一个服务器端的秘密。
When a user registers at our site we check the address with an address validation service. This service can return an address suggestion if the entered address is found but has some errors. This sugggestion is returned to the user.
The user can accept the suggestion and is trusted. If he changes the address he is not trusted.
Is there a good way to check if the data displayed to the user is the same as the data he posts? I guess I need a hidden field with the hash of the addressdata. But I am not shure which algorithm I should take. The algorithm should be case insensitive if possible.
The algorithm should create a tamper-proof oneway hash.
EDIT:
This worked pretty well so far. I still have to test with umlaute (ä,ü ).
StringBuilder addressData = new StringBuilder();
addressData.Append(FirstName);
addressData.Append(LastName);
addressData.Append(StreetNumber);
addressData.Append(StreetName);
addressData.Append(City);
addressData.Append(CountryISO);
addressData.Append(Zip);
string stringVal = addressData.ToString().ToLower();
System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding();
byte[] keyByte = encoding.GetBytes(ApplicationConfiguration.ShaKey);
byte[] messageBytes = encoding.GetBytes(stringVal);
HMACSHA256 hmacsha256 = new HMACSHA256(keyByte);
byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);
string hash = ByteToString(hashmessage);
return hash
Use an HMAC (Hash-based Message Authentication Code) -- HMACs were invented for precisely this purpose; to authenticate data with a symmetric key. I am not familiar with .NET myself, but the standard library seems to provide many such classes inheriting from System.Security.Cryptography.HMAC. HMAC is better than a plain hash because it is not vulnerable to hash length extension attacks.
HMACSHA256 looks like a good candidate.
You should also consider adding a unique value (a nonce) to the string if you want to prevent prevent replay attacks -- otherwise a user can re-send an earlier email with the accompanying earlier HMAC signature.
The HMAC key must be a server-side secret.
这篇关于检查用户更改数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!