服务器如何知道请求来自客户端，而不是窃听黑客? [英] How can a server know the request is coming from client, not an eavesdropping hacker?

问题描述

我有一个简单的问题，找不到一个简单的答案，可能是我遗漏了一些东西，或者我不知道某些网络概念是如何工作的.我想知道我不知道的东西.

I have a simple question which I can not find a simple answer to, probably I am missing something or I don t know about how some networking concept works. And I want to know what I don t know.

简单来说，问题是，在可以进行窃听的同时，服务器如何才能知道请求来自客户端，而不是窃听黑客.

Simply, the question is while eavesdropping is possible, how can server know the request is coming from client, not the eavesdropping hacker.

场景:

无论我有什么安全策略，都应该向客户端发送一些信息.它可能是不对称的加密令牌或其他.客户端没有私钥，因此，无论客户端能够执行，发送等什么，黑客都可以执行，发送.

Whatever the security policy I am having, I should send something to client. It might be a asymmetric encrypted token or sth. Client has no private key, so that whatever client is able to do, send etc, a hacker can do, send too.

保护Web应用程序背后的逻辑可能是什么?应该有一个只有客户知道的秘密.

What might be the logic behind securing a web application. There should be something secret which only client knows.

顺便说一句，我正在学习JWT，这是我第一次学习auth.但是这个简单的问题我仍然找不到答案.

Btw I am learning about JWT and this is the first time I am learning about auth. But this simple question is something I am still unable to find an answer to.

推荐答案

服务器如何知道请求来自客户端，而不是 窃听黑客吗?

How can a server know the request is coming from client, not an eavesdropping hacker?

不是.

由客户端来验证服务器是否是它希望与之通信的服务器.它称为公共密钥基础结构.

It is up to the client to verify that the server is the one it expects to be talking to. It's called Public Key Infrastructure.

可以使用TLS/SSL，因此连接是通过HTTPS进行的-请注意，它不必是Diffie Hellman，还有其他密钥交换机制，例如RSA.

TLS/SSL can be used so the connection is over HTTPS - note it does not have to be Diffie Hellman, there are other key exchange mechanisms such as RSA.

想象一下以下情况.

Client --> HTTPS --> example.com

客户端将对example.com进行DNS查找，并返回203.0.113.10.客户端将通过HTTPS连接到203.0.113.10，连接的初始部分称为握手过程.客户端在此处检查其要连接的域example.com是否具有由受信任的证书颁发机构签名且主题设置为"example.com"的证书.这样可以防止发生以下情况:

The client will do a DNS lookup for example.com, and say 203.0.113.10 is returned. The client will connect to 203.0.113.10 over HTTPS, and the initial part of the connection is called the handshaking process. Here the client checks that the domain it is thinking of connecting to, example.com, has a certificate signed by a trusted Certificate Authority with the subject set to "example.com". This will prevent the following from happening:

Client --> HTTPS --> Attacker (fake example.com)

例如，如果攻击者接管了DNS服务器，并将example.com更改为指向他(198.51.100.200).

For example, if the attacker had taken over a DNS server and changed example.com to point to him (198.51.100.200).

之所以能够防止此攻击，是因为攻击者无法向证书颁发机构证明example.com的所有权，因此将无法获得其证书的签名，以便向客户端证明其服务器是受信任的.

This attack is prevented because the attacker cannot prove ownership of example.com to a Certificate Authority and therefore won't be able to get their certificate signed in order to prove to clients that their server is trusted.

HTTPS还加密连接，并以安全的方式交换密钥.这样可以确保无法读取已经建立的连接.

HTTPS also encrypts the connection, and exchanges keys in a secure manner. This ensures that an already established connection cannot be read.

因此，一旦建立连接并用户登录，服务器将向客户端发送会话令牌，该令牌可以是JWT的形式.如果这是Cookie，并且已设置安全标记，则只能通过HTTPS连接.这样服务器就知道它没有被拦截，因为客户端已经验证了服务器，并使用了双方都同意的唯一密钥对传输中的数据进行了加密.

So once a connection is established, and a user logs in, the server will send a session token to the client, which can be in the form of a JWT. If this is a cookie and the Secure Flag is set, this can only be transmitted over an HTTPS connection. This is how the server knows that it hasn't been intercepted because the client has verified the server and has encrypted the data in transit to it using unique keys agreed by both parties.

Client --> HTTPS --> Attacker (fake example.com) --> HTTPS --> example.com

也是不可能的(活动的中间人)，这表明您原始问题中的情况，有人拦截了通信并将JWT传递到真实服务器，并观察传输中的私有数据.但是，这是使用纯HTTP(不使用SSL/TLS)的情况:

Is also not possible (active Man-In-The-Middle), which shows the situation in your original question where somebody intercepts communications and passes the JWT to the real server, observing the private data in transit. This, however is if plain HTTP is used (no SSL/TLS):

Client --> HTTP --> Attacker (fake example.com) --> HTTP --> example.com

这篇关于服务器如何知道请求来自客户端，而不是窃听黑客?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！