如何进行身份验证和授权? [英] How do I do Authentication and Authorization?
问题描述
对于我读过的关于通信(HTTP / TCP套接字等)的大多数示例,这些示例是非常低级别的hello world类型,它们排除了任何真实的身份验证/授权,或者是非常高级别的(ASP)使用的属性或处理此问题的现有框架。
我想知道更多关于它的工作原理。这是跨越每个平台和每个使用登录进行通信的系统的东西。
所以对我而言,演变是这样的:
1.让我们需要用户名和密码。让我们通过管理区域和用户区域来做到这一点。管理区域可以添加/删除/批准新的用户帐户请求。这可以是注册页面,也可以由管理员手动添加。
2. OMG用户名和密码以纯文本形式通过网络发送。让我们在传递*敏感信息之前创建一个安全的加密连接。
3.身份验证还不够,我们需要授权用户使用某些功能。让我们创建用户组,我们可以添加用户,允许他们使用某些功能。
我认为1.和3。以上由我的申请处理。我为用户注册选择了机制,如果需要,我将管理员修改权限分配,而不是默认值。我选择了一种存储用户信息和密码的方法(盐渍哈希棕色表或类似的东西)
我认为最令人困惑的部分是如何完成2。以上。
我听到的一些事情我会假设在一个好的skrillex曲调中被分类,如X509,HTTPS。但除了最后一篇维基百科的文章解释它是什么之外我在如何使用它时发现的很少。
我一旦证书就丢失了提到我怎么得到/创建甚至更令人困惑的整合使用其中之一?
我记得看到一些例子后面有一个静态字节数组存储证书并通过它/与之进行比较以进行身份验证。
可以说我有两块硬件,一块是窗户带有C#/ WPF应用程序的计算机,另一个是netduino / arduino / rpi / bbb /等。我过去曾编写过其中一些程序之间的通信程序,甚至可以达到上面的第1步和第3步。我到目前为止还没有找到任何描述我将如何添加2.上面的内容。
如果我的两个设备都通过互联网连接,我该如何安全地通过证书/其他认证机制,所以两者都是可信的?我认为这是完全安全的唯一方法是在两者之间实现USB /串行连接以通过证书。
我确实遇到过一些系统使用公钥/私钥(不是这个HTTPS和X509?),所有通信都使用公钥与其他功能使用私钥完成。但同样,这个私钥是如何在不通过连接暴露的情况下进入两个设备的?
也许它对我而言是好运,但我要么最终有一本书/文章,适用于博士论文,或者是基本的,在现实世界的应用程序中是无用的。
任何人都可以提供任何信息/线索/阅读列表关于它如何在大约7500英尺的视图而不是典型的30,000或10上工作?
For most examples that I have read regarding communications (HTTP / TCP Sockets etc.) the examples are either very low level "hello world" types that exclude any real world authentication/authorization or are very high level (ASP) that use attributes or an existing framework that handles this.
I would like to know more about how this works in general. This is something that cuts across every platform and every system that communicates using a login.
So for me the evolution goes something like this:
1. Lets require a user name and password. Lets do this by having an admin area and a user area. The admin area can add/remove/approve new user account requests. This can be either a signup page or added manually by an admin.
2. OMG the user names and passwords are sent over the wire in plain text. Lets create a secure encrypted connection *before* sensitive information is passed.
3. Authentication is not enough, we need to authorize users to use certain features. Lets create user "groups" that we can add users to that allow them certain functionality.
I think that 1. and 3. above are handled by my application. I choose the mechanism for the user signup and admin modifies the privilege assignation if required other than default. I choose a way to store user information and their passwords (salted hash brown table or something along those lines)
I think the most confusing part is how to accomplish 2. above.
I hear things that I would assume would be classfied as "drops" in a good skrillex tune such as X509, HTTPS. But other than ending up at a Wikipedia article explaining what it is there is little I have found on the how to use it.
I get lost as soon as certificates are mentioned since how do I get/create and even more baffling integrate using one of these?
I do recall seeing some example awhile back that had a static byte array which stored the certificate and passed this around / compared to it to authenticate.
Lets say I have two pieces of hardware, one is a windows computer with a C#/WPF app and the other is a netduino/arduino/rpi/bbb/ etc. I have programmed communication between some of these in the past, and even got as far as step 1. and 3. above. I have up to this point not found anything that describes how I would add 2. above.
If both of my devices connect over the internet how do I securely pass the certificate/other authentication mechanism so both are trusted? The only way I see this as being totally secure is to have a USB/Serial connection physically between the two to have the certificate passed.
I did come across some systems that use a public/private key (isn't this HTTPS and X509?) and all communication is done using the public key with other functions using the private key. But again, how does this private key get on both devices without exposing it over a connection?
Maybe it has been luck of the draw for me but I either end up with a book/article that is meant for a PHD dissertation or is so basic that it would be useless in a real world application.
Can anyone provide any info/clues/reading lists as to how this works at about the 7500ft view instead of typical 30,000 or 10?
推荐答案
ok - 一些基础...
X509定义了数字证书格式及其内容
a数字证书包含有关其所有者的标识,并且还包含PUBLIC密钥组件PKI密钥对 - PRIVATE组件由所有者安全地保存在他们的机器上
PKI加密/解密只能通过keyPAIR完成 - 私有加密,公众可以解密,反之亦然 - 如果我加密的话你的公钥,只有你的私钥可以解密它 - 额外的好处是,如果你用你的私钥加密一些东西,(留在我身边!)只有你的PUBLIC密钥可以解密它 - 因此我知道它来自你,这是数字签名如何工作
在HTTPS握手期间,SERVER将您(客户端)的x509传递给您 - 您收集它的公钥,因此您(客户端) )现在可以只为服务器的眼睛进行加密 - 相信服务器是它所声称的服务器是x509证书链的功能(简单地说,服务器证书已经由Thawte会签,他已经完成了检查,并且在你的机器上有他们的根证书)
此时服务器可以坚持要求你获得一个知识证书,但大多数人都没有(在大多数情况下,你需要知道这是你正在谈论的银行,他们并不关心他们正在与谁交谈) - 通常你的浏览器生成一次性自签名证书,你交换它,现在你你们可以安全地互相交谈
你使用的https API(对于客户端)通常会处理所有一次性的东西,所以你不需要关心它
在服务器端,你需要提供证书和私钥 - 你可以生成自己的,如果它是一个'玩具'应用程序,证书链并不是真的有用 - 您可能需要将生成的x509复制到CLIENTS证书库中,以便它信任它
(证书链信任通过步行工作升级证书链直到找到一个你暗中信任的证书,因为你碰巧在你的机器上有一个副本,通常由操作系统安装安装/更新)
ok - some basics ...
X509 defines a digital certificate format and its contents
a digital certificate holds identification about its owner, and also holds the PUBLIC key component of PKI keypair - the PRIVATE component is held by the owner, securely, on their machine
PKI encryption/decryption can only be done by the keyPAIR - what the private encrypts, the public can decrypt, and vice versa - if i encrypt something with your public key, only your private key can decrypt it - the added advantage is that if you encrypt something with YOUR private key, (stay with me!) only your PUBLIC key can decrypt it - hence i know it came from you, this is how digital signatures work
During the HTTPS handshake, the SERVER passes you (the client) its x509 - from that, you glean its public key, so you (the client) can now encrypt for the server's eyes only - believing that the server IS who it SAYS it is is a function of the x509 certificate chain (simply, the server cert has been countersigned by, say, Thawte, who have done that checking, and have their root cert on your machine)
At this point the server can insist it wants a KNOWN cert from you, but most don't (in most situations, you need to know it's the Bank you're talking to, they don't care who they're talking to) - typically your browser generates a one-time self-signed cert, you exchange that and now you can both talk to each other securely
the https API you use (for the client) will normally handle all the one-time-gen'd stuff, so you don't need to care about that
At the server end, you'll need to provide a certificate and private key - you can generate your own, if it's a 'toy' app, the certificate chain is not really useful - you may have to copy the x509 you generate into the CLIENTS certificate store, so that it trusts it
(Certificate chain 'trust' work by walking up the chain of certs until you find one you implicitly 'trust' because you happen to have a copy on your machine, normally installed/updated by the OS install)
这篇关于如何进行身份验证和授权?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
