.net c#简单的质询和响应密码

Simplistic Challenge and Response Password
2020-11-21
  •  译文(汉语)
  •  原文(英语)

我正在编写的程序要求用户在执行代码之前要求管理员提供响应密码,并且该程序是动态的(不是相同的挑战).质询的信息必须简短,并且临时用户可以通过电话向他人朗读某些内容.

我一直在做研究,但是那里的大多数信息都是针对更复杂的高安全性方法的,在这种情况下,由于我们没有保护核信息或其他任何东西,因此不需要.我发现的其他事情非常简单,先提供x,然后给出z的答案,该答案由x + y = z计算得出,但这太简单了.

我试图避免的解决方案:提供一个加密的密钥,使人们很难与他人口头交流以获取响应代码.

是否已经有解决方案可以提供这种类型的挑战,还是我会被一堆串随机字符困住?

更新:

管理员将没有关于用户信息的信息.我只是在寻找一种简单的算法,如果存在的话,这不是一个简单的数学方程式.用户所面临的挑战是通过一种算法自动生成的,管理员可以使用该算法来提供响应值.它可以是字母或数字,但必须小而简单.

速聊1:
乱七八糟的单词或句子呢?
速聊2:
为什么不使用比上面公式更复杂的公式?那行不通吗?管理员是否有权访问有关用户的任何信息,例如用户名或计算机名?您可以将其包含在加密代码中,以使挑战"345"的响应因用户而异,并且因计算机而异.
速聊3:
目前尚不清楚您的要求是什么:是否需要自动生成密码?是否根据请求即时生成和重新生成?涉及到多少人类互动?您是否允许将密码和/或质询保留在数据库中?
速聊4:
我的帖子已经更新.只是寻找非常简单的东西,与数据库或任何东西无关.
解决过程1

假设您有一些要生成"密码"的信息,可以将所有信息组合在一起,用盐(即SHA256)对其进行哈希处理,并获得尽可能多的字节-例如2-3个字节以生成短数字.这样,您可以根据提供的用于验证数据的数据轻松地重新计算相同的值.

var codeByte = ComputeByteArraySha256(
      DateTime.Today + AdminName + UserName + SecretSalt)[13];
var codeText = codeByte.ToString();

根据实际的安全要求,几个字节的哈希可能就足够了.

混合一些其他信息(例如数据库中最新版本的数据)可能使您能够使此类令牌过期/具有一次性令牌.

通过众所周知的方式与用户进行通信(例如按注册的电子邮件/电话)提供这样的代码已被广泛用于验证用户身份.

The program I am writing requires that the user gets challenged for a response password from an admin before it will execute code, and is dynamic (Not the same challenge). The challenged information needs to be short and something a casual user can read to someone else over the phone.

I have been doing research, but most of the information out there is for more complex high security approaches which is not needed in this instance, as we are not protecting nuclear information or anything. Other things I have found have been very simple provide x and then give answer of z which is calculated by x + y = z but that is far too simple.

Solution I am trying to avoid: Providing an encrypted key that is extremely hard for people to verbally communicate to another person to get a response code.

Are there any solutions already out there that provide this type of challenge or will I be stuck with long strings of random characters?

Update:

The admin will have no information on the user information. I am just seeking a simplistic algorithm that isn't a simple math equation if one exists. The challenge for the user is auto generated via an algorithm that the admin can use to provide the response value. It can be alpha or numeric but it must be small and simple.

Talk1:
How about scrambled words or sentences?
Talk2:
why not a more complicated formula than the one you have above? wouldn't that work? does the admin have access to any information about the user, such as their username or the computer name? you could include those in your encryption code so that the response for challenge '345' will be different from user to user and machine to machine.
Talk3:
It's not clear what your requirements are: does the password need to be automatically generated? Generated and re-generated on the fly, per request? How much human interaction is involved? Are you allowed to persist the passwords and/or challenges in a database?
Talk4:
My post has been updated. Just looking for something very simplistic, nothing to do with databases or anything.
Solutions1

Assuming you have some information you want to generate "password" on you can combine all pieces of information, hash it with salt (i.e. SHA256) and get as many bytes as you find useful - like 2-3 bytes to produce short number. This way you can easily re-compute the same value based on data provided to verify data.

var codeByte = ComputeByteArraySha256(
      DateTime.Today + AdminName + UserName + SecretSalt)[13];
var codeText = codeByte.ToString();

Depending on actual security requirements several bytes of hash may be enough.

Mixing in some additional information (like latest version of data in a DB) may give you ability to expire such tokens/have one-use tokens.

Providing such code over well known way to communicate to the user (like per-registered e-mail/phone) is widely used approach to validate user's identity.

转载于:https://stackoverflow.com/questions/28333999/simplistic-challenge-and-response-password

本人是.net程序员,因为英语不行,使用工具翻译,希望对有需要的人有所帮助
如果本文质量不好,还请谅解,毕竟这些操作还是比较费时的,英语较好的可以看原文

留言回复
我们只提供高质量资源,素材,源码,坚持 下了就能用 原则,让客户花了钱觉得值
上班时间 : 周一至周五9:00-17:30 期待您的加入