dqfxao2898 2017-07-21 08:51
浏览 39

更改用于加密的主密码

I want to store some data encrypted, for example like a password manager where your master password unlocks all the underlying app/site passwords.

Looking around I found some examples like this, but they seem to use the password as a part of the encryption, similar to a salt in hashing. This means that to decrypt you need the exact same password, so you cannot ever change the password. This doesn't seem great from a security/usability standpoint; if a PW gets compromised, you'd have to remake the whole database under a different PW.

How would you make a system where you can change the master password? Do you you do a simple login check, and then use a string to encrypt/decrypt? Wouldn't the static nature plus storage of that string be unsafe?

I know some PHP and a smidge of Javascript, so if you have examples in those languages that would be nice, but a more general high level explanation is also very much appreciated.

  • 写回答

3条回答 默认 最新

  • dourong6054 2017-07-21 15:07
    关注

    You could use public-key cryptography, using the public key to encrypt data and with a password in your private key, that can be changed.

    One solution would be: 1) Generate rsa private and public keys (on Ubuntu):

    openssl genrsa -des3 -out private.key 1024
openssl rsa -in private.key -pubout > public.key

    2) Use the public key to encrypt:

    $key = file_get_contents('/path/to/public.key');
openssl_public_encrypt("password", $encryptedData, $key);

    Save $encryptedData to your database(you cannot use this string as password hash to match for login, as the $encryptedData have random bits added before encryption, you will still need to use a hash function for the passwords).

    3) Use the private key to decrypt, providing the password:

    $key = openssl_pkey_get_private(file_get_contents('/path/to/private.key'), $password);

if($key === false) {
    // false password
    die;
}
openssl_private_decrypt($encryptedData, $decryptedData, $key);

    4) Change the password:

    openssl rsa -des3 -in private.key -out private.key

    This gives you 2 advantages:

    • Separate encryption & decryption applications, encryption does not require private key or password.
    • Password does not need to be saved inside the application.

    This will serve your main requirement of being able to change the password and not re-encrypt the data.

    If you want to further secure your private key(to not allow php to directly access your private key, which is useful in case your app is hacked), you can create a decrypt service in your system, that you can use to send the encrypted data with the password and get the decrypted data.

    评论

报告相同问题?

悬赏问题

  • ¥15 Oracle中如何从clob类型截取特定字符串后面的字符
  • ¥15 想通过pywinauto自动电机应用程序按钮,但是找不到应用程序按钮信息
  • ¥15 MATLAB中streamslice问题
  • ¥15 如何在炒股软件中,爬到我想看的日k线
  • ¥15 seatunnel 怎么配置Elasticsearch
  • ¥15 PSCAD安装问题 ERROR: Visual Studio 2013, 2015, 2017 or 2019 is not found in the system.
  • ¥15 (标签-MATLAB|关键词-多址)
  • ¥15 关于#MATLAB#的问题,如何解决?(相关搜索:信噪比,系统容量)
  • ¥500 52810做蓝牙接受端
  • ¥15 基于PLC的三轴机械手程序