英文:
Encrypt data before send it to the database
问题
我被分配了一个任务,要在将数据发送到数据库之前对其进行加密。
我有一个React组件,在这个组件中,用户被要求输入一个代码。这个代码对所有尝试输入的人都是通用的,而不是个人密码。它被存储在后端,使用Python和Flask编写。然而,我被分配了一个任务,要在前端加密数据,将其加密后发送到后端,在那里解密数据,然后检查它是否有效。
说实话,我从未学过网络安全(不确定是否相关),但我考虑创建一个哈希函数来加密和解密数据。我还了解到,React中有一些库可以执行加密操作,或者我可以实现像AES或RSA这样的算法。
有人能否请指导我,并指向一个可以完成工作并且不难理解的方法,以便我可以实施它?
谢谢
英文:
I was given a task to encrypt data before sending it to the database.
I have a React component in which the user is asked to enter a code. This code is common to all those who try to enter and is not a personal password. It is being stored in the backend, written in Python using Flask. However, I was given a task to encrypt the data in the front-end, send it encrypted to the backend, decrypt the data there, and check if it's valid.
To be honest, I never learned cybersecurity (not sure if it's related), but I thought of creating a hash function that will encrypt and decrypt the data. I also read that there are some libraries in React that can perform encryption or I can implement an algorithm like AES or RSA.
Can someone please guide me and point me to a method that can do the job and is not hard to understand, so I can implement it?
Thanks
答案1
得分: 2
However, I was given a task to encrypt the data in the front-end, send it encrypted to the backend, decrypt the data there, and check if it's valid.
然而,我被分配了一个任务,要在前端加密数据,将其加密发送到后端,在那里解密数据并检查其是否有效。
Tell your operations people to use TLS (i.e., HTTPS instead of just HTTP). Then you're done 
That literally encrypts the data at the frontend and decrypts it at the server.
告诉你的运维人员使用TLS(即HTTPS而不是HTTP)。然后你就完成了 这实际上在前端加密数据并在服务器上解密它。
However, guessing why you were told to do this:
然而,猜测为什么要这么做:
This requirement sounds like someone has misunderstood password hashing. Tell whoever formulated that they need to sit down with you and explain what the actual benefit of that is.
这个要求似乎是有人误解了密码哈希。告诉制定这一要求的人,他们需要与你坐下来解释这背后的实际好处是什么。
Yes, you need encryption, but that's done by the transport, not the application. Yes, you should hash passwords, but you only store the (salted) hash in the database – you do not do the hashing in the frontend. That removes all benefits of hashed password storage.
是的,你需要加密,但这是由传输层完成的,而不是应用程序。是的,你应该对密码进行哈希处理,但你只需将(加盐的)哈希存储在数据库中 - 你不应该在前端进行哈希处理。这会取消所有哈希密码存储的好处。
but I thought of creating a hash function that will encrypt and decrypt the data
但是,我考虑创建一个哈希函数来加密和解密数据
Um, that's not a hash function. A hash is irreversible.
嗯,那不是一个哈希函数。哈希是不可逆的。
英文:
> However, I was given a task to encrypt the data in the front-end, send it encrypted to the backend, decrypt the data there, and check if it's valid.
Tell your operations people to use TLS (i.e., HTTPS instead of just HTTP). Then you're done That literally encrypts the data at the frontend and decrypts it at the server.
However, guessing why you were told to do this:
This requirement sounds like someone has misunderstood password hashing. Tell whoever formulated that they need to sit down with you and explain what the actual benefit of that is.
Yes, you need encryption, but that's done by the transport, not the application. Yes, you should hash passwords, but you only store the (salted) hash in the database – you do not do the hashing in the frontend. That removes all benefits of hashed password storage.
> but I thought of creating a hash function that will encrypt and decrypt the data
Um, that's not a hash function. A hash is irreversible.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论