使用hmac保护javascript客户端 [英] Securing a javascript client with hmac
问题描述
我正在研究如何保护我正在处理的javascript应用程序。该应用程序是一个聊天客户端,它使用APE(Ajax Push Engine)作为后端。
I am researching ways to secure a javascript application I am working on. The application is a chat client which uses APE (Ajax Push Engine) as the backend.
目前,任何人都可以访问该页面并向APE发出GET / POST请求服务器。我只想为注册用户提供聊天客户端,我想确保只接受他们的请求。我可以使用PHP的用户名/密码验证来为用户提供页面。但是一旦他们有了这个页面,有什么能阻止他们修改javascript或让它落入坏人之手?
Currently, anyone can access the page and make a GET/POST request to the APE server. I only want to serve the chat client to registered users, and I want to make sure only their requests will be accepted. I can use username/password authentication with PHP to serve a user the page. But once they have the page, what's to stop them from modifying the javascript or letting it fall into the wrong hands?
这种保护客户端/服务器应用程序的方法看起来很有希望: http://abhinavsingh.com/blog/ 2009/12 / how-to-add-content-verification-using-hmac-in-php /
This method for securing a client/server application looks promising: http://abhinavsingh.com/blog/2009/12/how-to-add-content-verification-using-hmac-in-php/
我有另一个消息来源说这是理想的对于javascript客户端,因为它不依赖于发送私钥。但这怎么可能呢?根据上面的教程,客户端需要提供私钥。这似乎不太安全,因为拥有javascript的任何人现在都拥有该用户的私钥。根据我的理解,它可以这样工作:
I have another source that says this is ideal for a javascript client since it doesn't depend on sending the private key. But how can this be? According to to the tutorial above, the client needs to provide the private key. This doesn't seem very safe since anyone who has the javascript now has that user's private key. From what I understand it would work something like this:
- 用户使用用户名和密码登录
- PHP验证用户名和密码,查找用户的私钥并将其插入到javascript中
- Javascript提供签名(使用私钥),以及所有APE的公钥请求
- APE将计算出的签名与收到的签名进行比较,并决定是否处理请求。
- User logs in with a username and password
- PHP validates the username and password, looks up the user's private key and inserts it into the javascript
- Javascript supplies a signature (using the private key), and the public key with all APE requests
- APE compares the computed signature to the received signature and decides whether to handle the requests.
如果javascript应用程序需要知道私钥,这是如何安全的?
How is this secure if the javascript application needs to be aware of the private key?
感谢您的帮助!
推荐答案
HMAC身份验证更适合第三方要连接的API。通过向客户端的浏览器写一个cookie来表明他们已经过身份验证,似乎可以更好地为您的应用程序提供服务。然后,对于每个ajax请求,您可以检查该cookie。
HMAC authentication is better served for an API that third parties are going to connect to. It seems like your app would be better served by writing a cookie to the client's browser indicating that they've been authenticated. Then with each ajax request you can check for that cookie.
编辑:我收回了一些我所说的有关HMAC更适合第三方API的内容。传统上,HMAC每个用户都有自己的私钥。我不认为这对您的申请是必要的。您可以通过保留一个主私钥并为每个用户提供一个唯一的公共密钥(我将其称为公钥,但实际上用户永远不会知道该密钥)来逃脱。当用户登录时,我会写两个cookie。一个是用户的公钥加密的时间戳和另一个说明时间戳是什么的键的组合。然后在服务器端,您可以验证加密密钥并检查时间戳是否在给定阈值内(例如10-30分钟,以防他们在您的应用程序中闲置)。如果他们已经过验证,请更新加密密钥和时间戳,然后冲洗并重复。
I take back a bit of what I said about HMAC being better served for third party APIs. Traditionally with HMAC each user gets their own private key. I don't think this is necessary for your application. You can probably get away with just keeping one master private key and give each user a unique "public" key (I call it a public key, but in actuality the user would never know about the key). When a user logs in I would write two cookies. One which is the combination of the user's public key + time stamp encrypted and another key stating what the time stamp is. Then on the server side you can validate the encrypted key and check that the time stamp is within a given threshold (say 10-30 minutes in case they're sitting around idle on your app). If they're validated, update the encrypted key and time stamp, rinse and repeat.
这篇关于使用hmac保护javascript客户端的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
