我的项目在今年夏天是使一个多人在线flash游戏。我可以使用一些意见，我以前从未实现安全登录系统，更不用说在Actionscript中这样做。

My project for this summer is to make a multiplayer online flash game. I could use some advice as I've never implemented a secure login system before, let alone done so in Actionscript.

我的设置现在的问题是一个.swf发送/从有关帐户信息MySQL数据库通信的Java服务器接收游戏数据/。

My setup right now is a .swf sending/receiving game data to/from a Java server which communicates with a MySQL database about account info.

1）我应该如何着手有什么看法？我在想，也许我应该有我的.swf文件加密的密码，（再有我的服务器加密了吗？）发送，然后将其存储在数据库中。

1) How should I proceed in general? I was thinking that maybe I should have my .swf encrypt the password, send it, (have my server encrypt it again?), then store it in the database.

2）我敢肯定，我可以找到大量的指南，以加密的Java。谁能推荐一个ActionScript库，甚至只是一个普通的加密算法（这样我就可以搜索一个等效自己），这是可以接受这项任务？

2) I'm sure I can find plenty of guides to encryption in Java. Can anyone recommend an Actionscript library, or even just a general encryption algorithm (so I could search for an AS equivalent myself) which would be acceptable for this task?

另外，我的游戏是通过一个XMLSocket通信。我不认为这应该引起任何安全问题，但请让我知道，如果我错了。

Also, my game is communicating via an XMLSocket. I don't think this should cause any security issues but please let me know if I'm mistaken.

推荐答案

发送密码的一般例外方法是不实际发送它们，因为这被认为是非常不安全的。相反，正如你提到你发送不同形式的人，如哈希密​​码，althought这仍然有一些画背 - 也就是彩虹表等

A generally excepted way of sending password is to not actually send them at all, as this is considered highly insecure. Instead as you've mention you send a different form of them such as the hashed password, althought this still has some draw backs - i.e. rainbow tables etc.

因此​​，最好的方法是用散列一个随机数（仅使用一次数），即一个随机字符串和时间戳的密码，并发送代替。然后，我会送散列字符串，随机数和时间戳的XML格式的数据库服务器谁可能会尝试使用已存储用户密码重现哈希密码。

Therefore the best approach is to hash the password with a nonce (number only used once) i.e. a random string and a timestamp and send that instead. I would then send the hashed string, the nonce and the timestamp in an xml format to your db server who could then try and reproduce the hashed password using the password you have stored for the user.

这是W3C UsernameToken的规格是怎么做的。看 - 的http：//文档.oasis-open.org / WSS / V1.1 / WSS-V1.1规格-OS-UsernameTokenProfile.pdf

This is how the W3C usernameToken spec do it. see - http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf

<UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsswssecurity-utility-1.0.xsd">
  <Username>jon</wsse:Username>
   <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">9JSGeXj+zpvEp42I20K/1bg8rCE=</Password>
   <Nonce>TaF3g5F37wSHtSdY</Nonce>
   <Created>2009-07-25T10:29:34Z</:Created>
</UsernameToken>

然而，这可能会引入不必要的复杂性。

However, this may introduce unwanted complexity.

所以，你可以只是简单地散列密码，并将其发送到服务器谁然后将其散列版本的密码，如果它符合您了。虽然在这一天结束时，你必须问你自己如何安全是实际的.swf文件监守可以反编译过，只需跳过原来的登录反正。然而，对于本大部分，这将是足够的。

So you could simply just hash the password and send it to the server who would then hash its version of the password and if it matched your away. Although at the end of the day, you have to ask your self how secure is the actual .swf file becuase you can decompile them and just jump over the original login anyway. However, for this most part this will be sufficient.

要散列蜇我通常使用as3crypto（code.google.com / P / as3crypto /） - 但我知道的住所utils软件包有MD5和SHA-1执行

To hash stings i usually use as3crypto (code.google.com/p/as3crypto/) - but I know the abode utils package has a md5 and sha-1 implementation.

对于XML套接字，这将是罚款，只要你在动作脚本应用程序，允许它进行会谈，以对，让闪存谈谈它的域的域和一个跨站点的政策文件。否则，你可能会得到安全错误。

As for the xml socket this will be fine as long as you have a cross-site-policy file in the action script app that allows it to talk to that domain and one on the domain that allows flash to talk to it. otherwise you may get security errors.

希望这有助于。

乔恩