在互联网上,从客户端安全地发送加密文件到服务器的行业标准是什么?

huangapple go评论86阅读模式
英文:

What is the industry standard for securely sending encrypted files from a client to server over the internet?

问题

我目前正在使用Go语言构建一个文件系统,该系统可以将文件以加密格式从客户端发送到服务器。我对信息传输协议非常陌生。

我想要将用户信息(用户名、使用bcrypt哈希的密码)发送到服务器,然后在服务器和客户端之间建立一种安全的会话,以便服务器和客户端可以发送和接收文件数据和元数据。这样可以在服务器上备份客户端的文件,并使用对该用户唯一的对称密钥(如AES256或类似算法)进行加密。我希望所有这些都可以作为后台任务进行,除了在启动时需要用户输入用户名和密码外,不需要用户的其他输入。

  • 哪种协议是传输(加密)文件的最佳选择?TCP、SSH、SFTP还是其他协议?
  • 关于传输文件的元数据应该如何处理?
  • 在打开会话之前,对用户进行身份验证的最佳方式是什么?使用证书还是使用从bcrypt创建的密码哈希值?
英文:

I'm currently building a filesystem written in Go that sends files from a client to server, in encrypted format. I am very new to information transfer protocols.

I want to send information about the user (username, password hashed with bcrypt) to a server, which would then open a secure session of some type with the client where the server and client could send and receive file data and metadata. This should keep a backup of the client's files on the server, and encrypted with a symmetric key unique that is unique to that user (with AES256 or similar). I want all of this to happen as a background task, without input from the user aside from the user/pass at startup.

  • What would be the best protocol to transfer (encrypted) files? TCP, SSH, SFTP, or something else?
  • What about transferring metadata about files?
  • What is the best way to authenticate a user before opening a session (for this case)? Using certificates or password hashes created from bcrypt?

答案1

得分: 4

SSL/TLS是标准的。您需要使用来自证书颁发机构的有效证书在您的域上启用它,即使用https而不是http。一旦建立了SSL连接,所有通信将被加密,防止中间人攻击。验证用户的标准方式是使用用户名/密码或任何该类型的变体,例如电子邮件/密码。您还可以使用OAuth进行身份验证。将密码存储为哈希值在您的服务器上。

更新:

这篇文章讨论了选择正确哈希算法的重要性。 常见的哈希算法如MD5SHA1容易受到某些攻击,并且存在碰撞问题。已经开发出更加密码学强大的算法,例如bcrypt。

英文:

SSL/TLS is standard. You would need to enable that with a valid certificate from a certificate authority on your domain i.e. https rather than http. Once you have the SSL connection established all communication will be encrypted preventing man-in-the-middle attacks. The standard way to authenticate a user is username/password or any variation of that type i.e. email/password. You can also you OAuth for authentication. Store the passwords as hashes on your server.

Update:

This article discusses the importance of choosing the correct hashing algorithm. Common hashing algorithms such as MD5 and SHA1 are vulnerable to certain attacks and suffer from collisions. Much more cryptographically strong algorithms have been developed such as bcrypt.

答案2

得分: 2

首先,不要自己编写加密算法。实现你所需的最简单方法是通过TCP建立一个TLS连接(确保验证服务器的证书),进行密码身份验证(就像登录网站一样),然后发送文件元数据和文件内容。如果你愿意,TLS还可以使用证书对客户端进行身份验证。

英文:

First off, don't roll your own encryption. The easiest way to do what you're looking for would be to open a TLS connection over TCP (making sure to validate the server's certificate), do a password authentication (like you would to a web site), then send file metadata followed by the file contents. TLS can also authenticate the client using a certificate if you prefer.

huangapple
  • 本文由 发表于 2014年6月29日 02:55:51
  • 转载请务必保留本文链接:https://go.coder-hub.com/24469945.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定