hMAC身份验证中的时间戳 [英] Time stamp in hMAC authentication

问题描述

作为宁静的Web api服务器，我们为客户端提供了一个clientid和密码.我认为客户端使用clientid + hMAC(通过密码散列的clientid)进行身份验证就足够了.

as restful web api server, we supply our client a clientid and password. I think it is enough for the client to use clientid + hMAC(clientid hashed by password) for the authentication.

我仔细阅读了一些文档，这些文档建议对基本字符串使用时间戳或更多信息.我只是不明白那个意思.

I have looked through some documents which advise to use Time stamp or even more information for the base string. I just cannot understand the meaning of that.

任何专家都可以帮助解释时间戳确切地有助于防止攻击或其他任何事情吗?

Could any guru help explain what exactly the time stamp would help for preventing attack or anything else?

推荐答案

问题是，没有时间戳记的任何已签名消息将永远有效.如果攻击者设法捕获了一条消息，他们甚至可以在不损害用于签名该消息的秘密的情况下无限地重播该消息.

The issue is that without a timestamp any signed message is valid forever. If an attacker managed to capture a message they could replay it infinitely even without compromising your secret used to sign the message.

如果添加时间戳，则消息将在短时间后过期，并防止这种情况发生.您将选择在服务器应用程序中遵守时间戳的时间.当您确实记得考虑未来"的时候，因为客户的点击可能会稍早一些，并且将来会出现在您的应用程序中.

If you add a timestamp then a message will expire after a short time and prevent this. You would chose how long to honor timestamps for in the server application. When you do remember to consider "future" time because the clients' click might be slightly ahead of your and appear in the future to your application.

这篇关于hMAC身份验证中的时间戳的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！