是窗体身份验证票足够安全? [英] Is Forms Authentication Ticket safe enough?
问题描述
在基于默认窗体身份验证方法,在用户登录时,服务器将创建一个包含加密数据(使用计算机密钥的加密密钥)的cookie。
这意味着,如果有人找到服务器/猜/门禁机钥匙,他将在Web应用程序登录。
我已经开发了一些应用,这是对4台服务器。所以,我硬codeD在同一台机器密钥在machine.config中的所有服务器,我不能使用自动生成模式。
- 是否有可能暴力破解机密钥?
- 有没有其他的方法呢? (我不希望使用Windows和护照)
- ,进入窗体身份验证票足够安全? (即电子银行应用所接受)
ASP.NET窗体身份验证票证使用的是Rijndael算法加密。 Rijndael被作为其中提供无限的方式对数据进行加密,是也容易受到强力攻击DES(数据加密标准)的替代创建。许多DES挑战赛在90年代末由RSA Security举办挑战队,以突出其固有的弱点破解DES:<一href=\"http://en.wikipedia.org/wiki/DES_Challenges\">http://en.wikipedia.org/wiki/DES_Challenges
通过比较的Rijndael(也称为高级加密标准AES)使用更长的密钥 - 256位和双encrption算法。破解256位的Rijndael的密钥(如ASP.NET机键)将需要2 ^ 200操作(10 ^ 60 - 10 60个零),几乎是不可能的蛮力破解。再加上该ASP.NET票定期更换,并解密后基本上看起来像字母和数字(所以无法确定是否你已经蛮力解密的正确与否)一个随机字符串事实上,你可以放心任何人即将破解你的窗体身份验证cookie的任何时间。
有关Rijndael算法及其可能的攻击更多资讯:
<一个href=\"http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks\">http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks
When a user logs in based on default Forms Authentication method, the server creates a cookie containing encrypted data (using Machine Key as key for encryption).
It means that if someone find/guess/access Machine Key for the server, he will be logged in to the web application.
I've developed some applications which are on 4 servers. So, I hard-coded the same Machine Key for all the servers in machine.config and I can't use Auto Generate mode.
- Is it possible to brute force the Machine Key?
- Is there any other methods? (I don't want to use Windows and Passport)
- And is Forms Authentication Ticket safe enough? (i.e. acceptable for e-banking applications)
ASP.NET forms authentication tickets are encrypted using the Rijndael algorithm. Rijndael was created as a replacement for DES (Data Encryption Standard) which offered unlimited ways to encrypt data and was also susceptible to brute force attacks. A number of DES Challenge were organised in the late 90's by RSA Security to challenge teams to crack DES in order to highlight its inherent vulnerabilities: http://en.wikipedia.org/wiki/DES_Challenges
By comparison Rijndael (also known as Advanced Encryption Standard AES) uses longer keys - 256bits and a double encrption algorithm. To crack a 256 bit Rijndael key (such as the ASP.NET machine key) would require 2^200 operations (about 10^60 - ten with 60 zeros), near impossible to brute force crack. Combine that with the fact that the ASP.NET ticket changes regularly, and when decrypted basically looks like a random string of letters and numbers (so impossible to determine if what you've brute force decrypted is correct or not) you can rest assured nobody will be cracking your forms authentication cookie any time soon.
More info about Rijndael and its possible attacks here:
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks
这篇关于是窗体身份验证票足够安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
