Json Web令牌(JWT)如何真正减少“人在循环中"的攻击? [英] How exactly does Json Web Token (JWT) reduce the man-in-the loop attack?

问题描述

我试图了解JWT，并在网上冲浪各种资源.我找到了显示如何检查JWT是否回火的代码-这是一个很棒的代码，我理解.

I am trying to understand JWT, and surfing various resource on web. I found the code showing how to check whether JWT is tempered -- this is a great one and I understand it.

但是，我不明白中间人如何使用JWT，中间人既可以查看浏览器数据(认为是图书馆中的公共计算机)，也可以嗅探连线(我想这可以避免)通过HTTPS)获取GWT字符串，然后从另一台计算机重播.

However, I don't understand how JWT won't be used by a middle-man who can either look at the browser data (think of a public computer in library) or sniff the wire (I guess this can be avoided by HTTPS though) to get the GWT string, and replay from another computer.

https://float-middle.com/json-web -tokens-jwt-vs-sessions/

[headerB64, payloadB64, signatureB64] = jwt.split('.');

if (atob(signatureB64) === signatureCreatingFunction(headerB64 + '.' + payloadB64) {  
    // good
} else
    // no good
}

推荐答案

实际上，他们可以.您可以采取一些措施来防止这种情况，例如，将请求者的IP地址封装在加密数据中，并给予令牌相对较短的生存时间.但是，关键思想是接收系统仅 个令牌及其加密内容可以执行.服务器可以验证令牌是否有效，并知道令牌没有被更改，但是，由于没有会话"，因此除非令牌的 content ，否则它将无法检测到重播攻击.令牌使它能够这样做. (因此，请这样做！)

Indeed, they can. You can take steps to prevent this by, say, encapsulating the requester's IP-address in the encrypted data, and by giving the token a relatively short time-to-live. But, the key idea is that the receiving system has only the token, and its encrypted content, to act upon. The server can verify that the token is valid and know that it has not been altered, but, since there are no "sessions," it will not be able to detect a replay attack unless the content of the token enables it to do so. (Therefore, do so!)

这篇关于Json Web令牌(JWT)如何真正减少“人在循环中"的攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！