简单客户端身份验证API
问题描述:
大家好,
我已经使用Winsocks编写了一个简单的FTP客户端-服务器代码.现在,我想实现一个简单的用户名-密码身份验证,但是在通过MSDN身份验证链接后,我感到非常困惑.您能为它们推荐一些简单的API吗?任何帮助将不胜感激.
Hi All,
I have written a simple FTP Client-Server Code using Winsocks. Now I want to implement a simple Username-Password Authentication but after going through MSDN Authentication Links, I am very confused. Can you suggest some simple APIs for the same. Any help will be appreciated.
答
该过程非常简单.诀窍是您不想通过网络传输密码.
一个简单的方法就是这样.
1.客户端连接
2.服务器发送带有挑战字符串的登录所需数据包
3.客户端将用户名+密码+质询字符串加密为响应字符串.
4.客户端发送用户名和响应字符串进行登录.
5.服务器验证它是否为响应字符串获得相同的值.
您可以将MD5哈希用于质询字符串和响应字符串.网上有很多示例源代码,还有其他哈希类型.
此外,如果您不想将密码存储在服务器上,则可以针对密码字符串对密码进行哈希处理,然后将其存储.然后,客户端将对用户输入的密码执行相同的操作,然后再次对用户名和质询字符串进行哈希处理.
The process is pretty easy. The trick is that you don''t want to transmit the passwords over the wire.
A simple method would work like this.
1. Client connects
2. Server sends a login required packet with challenge string
3. Client encrypts the username + password + challenge string into a response string.
4. Client sends the user name and response string to login with.
5. The server verifies that it gets the same value for the response string.
You can use the MD5 hash for the challenge string and response string. There is plenty of example source code for this, and other hash types on the web.
Further, if you don''t want to store passwords on the server, you can hash the password against a secret string, and store that. The client would then do the same to the password the user enters, before hashing it again against the username and challenge string.