如何在没有 SSL 的 Web API 上接受身份验证? [英] How to accept authentication on a web API without SSL?

问题描述

我正在构建一个与 StackOverflow 提供的非常相似的 Web API.

I'm building a web API very similar to what StackOverflow provide.

但是在我的情况下，安全性很重要，因为数据是私密的.

However in my case security is importance since data is private.

• 我必须使用 HTTP.
• 我无法使用 SSL.

您推荐我什么解决方案?

What solution(s) do you recommend me?

编辑:身份验证！=加密

推荐答案

首先，我建议你阅读这篇优秀的文章:http://piwik.org/blog/2008/01/how-to-design-an-api-最佳实践概念技术方面/

First of all, I suggest you read this excellent article: http://piwik.org/blog/2008/01/how-to-design-an-api-best-practises-concepts-technical-aspects/

解决方法很简单.它是 Flickr 之类的 API(基于令牌)和我使用的 paiement gateway 使用的身份验证方法的组合(高度安全)，但使用私人密码/盐代替.

The solution is very simple. It is a combination of Flickr like API (token based) and authentication method used by the paiement gateway I use (highly secure), but with a private password/salt instead.

为了防止未经授权的用户使用 API 而不必在请求中发送密码(在我的情况下，因为没有 SSL，所以很清楚)，他们必须添加签名，其中包括一个MD5 散列，将私有值和公共值串联起来:

To prevent unauthorized users from using the API without having to send the password in the request (in my case, in clear since there is no SSL), they must add a signature that will consist of a MD5 hashing of a concatenation of both private and public values:

• 众所周知的值，例如用户名甚至 API 路由
• 用户密码
• 用户生成的唯一代码(只能使用一次)

如果我们请求/api/route/并且密码是kdf8*s@，那么签名如下:

If we request /api/route/ and the pass phrase is kdf8*s@, the signature be the following:

string uniqueCode = Guid.NewGuid().ToString();
string signature = MD5.Compute("/api/route/kdf8*s@" + ticks);

HTTP 请求的 URL 将是:

The URL of the HTTP request will then be:

string requestUrl = 
     string.Format("http://example.org/api/route/?code={0}&sign={1}", uniqueCode, signature);

服务器端，您必须阻止任何具有相同唯一代码的新请求.防止任何攻击者简单地重用相同的 URL 来为自己谋利.这是我想要避免的情况.

Server side, you will have to prevent any new requests with the same unique code. Preventing any attacker to simply reuse the same URL to his advantage. Which was the situation I wanted to avoid.

由于我不想存储 API 使用者使用的代码，我决定用滴答声代替它.Ticks 表示自 0001 年 1 月 1 日午夜 12:00:00 起经过的 100 纳秒间隔数.

Since I didn't want to store code that were used by API consumer, I decided to replace it by a ticks. Ticks represents the number of 100-nanosecond intervals that have elapsed since 12:00:00 midnight, January 1, 0001.

在服务器端，我只接受公差为 +-3 分钟的刻度(时间戳)(以防客户端和服务器时间不同步).这意味着潜在的攻击者将能够使用该窗口来重复使用 URL，但不能永久使用.安全性有所降低，但对我来说仍然足够.

On server side, I only accept ticks (timestamp) with a tolerance of +-3 minutes (in case client & server are not time synchronized). Meaning that potential attacker will be able to use that window to reuse the URL but not permanently. Security is reduced a little, but still good enough for my case.

这篇关于如何在没有 SSL 的 Web API 上接受身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！