New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

更新前后端密码传递方式 #75

Closed

Chenrt-ggx opened this issue May 25, 2023 · 1 comment

Chenrt-ggx commented May 25, 2023

目前，symphony 在前端计算密码的 MD5 后发送到后端进行登录，可能存在以下问题：

MD5 本身的安全问题。
在后端进行比较时，可能存在定时攻击问题。

相关代码如下：

final String userPassword = user.optString(User.USER_PASSWORD);
if (userPassword.equals(requestJSONObject.optString(User.USER_PASSWORD))) {
    // ......
}

建议修改前后端密码传递方式，以下过程供参考，也可以参考 SpringSecurity 中的处理：

前端通过静态资源或 API 获得 RSA 公钥。
前端将用户的密码使用 RSA 公钥加密后发给后端。
后端使用 RSA 私钥解密获得明文密码。
后端对明文密码进行安全 Hash。
后端 Constant Time 比对计算结果和数据库中的密码。

Owner

88250 commented May 25, 2023

和 #74 的处理一样，感谢反馈。

88250 closed this as completed

88250 added a commit that referenced this issue


          🎨 Update README

f0fe0c6

#74
#75

88250 added a commit that referenced this issue


          🎨 Update README

9af38c1

#74
#75

88250 added a commit that referenced this issue


          🎨 Update README

6550daf

#74
#75

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment