Java authentication security

2020-05-03 12:18发布

I have a central admin instance of an app where judge accounts are created. In order to use this judge account, a judge instance of the app from another computer needs to authenticate with the central admin. A user instance of the app will send something to the admin, who will push it off to one of the judges.

My problem is how I can authenticate a judge. If I simply send the password, it can be sniffed (since all of these instances are required to be on the same network).

I'm not sure if using SSL would help, but even if it does, I can't use it (I have no control over this).

1条回答
不美不萌又怎样
2楼-- · 2020-05-03 12:42

You could use something like pgp here. So you would use some public key stuff. That would eliminate the need for a password altogether.

With public key encryption every user has a public key and a private key. Stuff that is encrypted with one key, can only be decrypted with the other key. So you can hand out the public public key. If someone wants to send something to you, he can use your public key to encrypt the message, and only you can decrypt it.

So messages to the server would be encrypted with the users private key. He sends the message and his public key. You can have a database lookup on the server side if you know this public key. and if you can decrypt the message with that key, you know that it is sent by that user.

With some work, you probably could use that to identify and authenticate users.

You would just use the judges to vouch for any new user and his public key, when they first talk to the server. So you can create a web of trust.

查看更多
登录 后发表回答