正版客户端验证 [英] Genuine Client Validation

问题描述

方案如下：

我有一个客户端应用程序，它将连接到Web服务。连接后，Web服务将向客户端提供一些关键信息。 Web服务如何确保请求来自正版client.exe而不是来自更换的假client.exe？

The scenario is as follows:

I got a client application which is going to connect to a web service. Upon connection the web service is going to source some critical information back to client. How a web service can ensure that the request is coming from genuine client.exe and not from replaced fake client.exe?

推荐答案

方案如下：

我有一个客户端应用程序，它将连接到一个Web服务。连接后，Web服务将向客户端提供一些关键信息。 Web服务如何确保请求来自正版client.exe而不是来自更换的假client.exe？

The scenario is as follows:

I got a client application which is going to connect to a web service. Upon connection the web service is going to source some critical information back to client. How a web service can ensure that the request is coming from genuine client.exe and not from replaced fake client.exe?

我不确定我理解"假客户端"的概念：

- 某个第三方修改过的client.exe？ - 没有有效许可证的client.exe？
- 从中​​访问数据的client.exe一个意外的位置（例如，从客户网络外部使用的有效client.exe？）或未经授权的计算机？ - 一个"会谈"的软件。访问数据但不是你的client.exe的正确协议？
- ...

需要使用不同的技术来解决这些情况（可能还有很多其他情况），但是我很确定任何基于客户端特征的安全性（仅限于？）都很弱（类似于安全单点故障:-)。特别是制作可执行防篡改的部分是非常重要的。

我想有些额外的层是必要的。

我对安全性的最好建议：你不是自己创建一个新的安全系统，而是使用一个旧的，经过验证的安全系统。从短期来看可能会更贵，但从长远来看会更便宜...

克里斯蒂安。

I'm not sure I understand the concept of a "fake client":

- a client.exe that has been modified by some 3rd party?
- a client.exe that has no valid license?
- a client.exe accessing the data from an unexpected location (for example a valid client.exe being used  from outside your customer's network?) or from an unauthorized computer?
- a piece of software that "talks" the right protocol to access the data but is not your client.exe?
- ...

Different techniques would need to be used to address these cases (and probably many others), but I'm pretty sure that any security based (solely?) on client characteristics is weak (something like a security single-point-of-failure :-). Especially the part of making an executable tamper-proof is non-trivial.

Some additional layers would be necessary I guess.

Best advice I ever got about security: You don't go about creating a new security system by yourself, you use an old and proven one. Might be more expensive on the short run but infinitely cheaper on the long haul...

Cristian.

这篇关于正版客户端验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！