I'm really just looking for some guidance. Here is the scenario:
A user c开发者_C百科an add an FTP account via a password protected control panel. I need to save these credentials so that the FTP account can be connected to automatically. This is easy but I want to take the most secure approach possible. I was thinking of possibly encrypting the password client-side and then sending the encrypted password to the server for storage. Then the encrypted value would be pulled out and decrypted client side before the FTP connection was made.
I know that isn't too secure but it's all I can think of. Do you guys have any other bright ideas to make this more secure? Thanks!
Securely storing the credentials is easy - encrypt it server-side and you're fine.
Securely transmitting the data is much harder if you can't use SSL.
The simplest way would be to encrypt the data with their hashed password before transmission (from either end); that way the encryption key isn't transmitted with the data or stored as part of the client-side code.
It's not ideal, you ideally want SSL, but it's better than sending plain-text or encrypting with a key stored in (or generate by) your code.
I think your method is actually reasonable, with one major caveat: use public key encryption (aka asymmetric encryption).
Really, as long as you use public key encryption, doing the encryption client-side is not a problem. The whole point of public key encryption is that you can share your public key with the world and yet as long as you keep your private key secure, you'll be the only one who can decrypt it.
精彩评论