Today I’m thinking about questions of those website using http protocol. When user logins in a http website, how to protect the password’s security. The conclusion is it is not easy to do so, because I haven’t figured out a method to prevent the possibility of man-in-the-middle attack without a PKI infrastructure. Maybe in the future, with the use of quantum cryptography, we can do that easily, but currently it’s hard.
Nevertheless, we still can make the process of login more securier. One approach is to hash password, and only transmit the digest instead of the plain password. To use this method, don’t forget to change salt frequently enough. But now I want to use another approach, just for fun.
To implement this, we need two parts. One for the back-end, and the other for the front-end. I’m gonna to use a Python server as the back-end and a js script to implement the front-end.
Install the pure python rsa package:
Then we can use it to generate a (public key, private key) tuple.
1 2 3 4
n variable to front-end.
Download js rsa from http://www-cs-students.stanford.edu/~tjw/jsbn/
For now I just use the demo website http://www-cs-students.stanford.edu/~tjw/jsbn/rsa.html.
n variable to the
Modulus (hex) input box and copy the
e variable to the
Public exponent (hex, F4=0x10001) input box.
Enter a message in
Plaintext (string) and click
Now we get the encrypted message in
Pass the ciphertext to Pytho server.
Python Sever Again
We get the ciphertext, but now we need translate it from hex to str first.
Now get the plaintext.
This method does not prevent the man-in-the-middle attack, and also if a router between the server and client has been hacked and hackers can it to modify the js file used in the login page.