MVC 2 AntiForgeryToken - 为什么对称加密+ IPrinciple? [英] MVC 2 AntiForgeryToken - Why symmetric encryption + IPrinciple?
问题描述
我们最近更新了我们的解决方案,以MVC 2,这已经更新了 AntiForgeryToken 的工作方式。不幸的是,这并不符合我们的AJAX框架适应了。
We recently updated our solution to MVC 2, and this has updated the way that the AntiForgeryToken works. Unfortunately this does not fit with our AJAX framework any more.
问题是MVC 2现在使用对称加密来连接code关于用户的一些属性,包括用户的名称属性(从的IPrincipal )。我们能够进行安全注册使用AJAX一个新的用户,之后,后续Ajax调用将无效当用户已被授予新的主体防伪造凭证将发生变化。也有更新他们的名字等其它情况下,当这可能发生,例如用户
The problem is that MVC 2 now uses symmetric encryption to encode some properties about the user, including the user's Name property (from IPrincipal). We are able to securely register a new user using AJAX, after which subsequent AJAX calls will be invalid as the anti forgery token will change when the user has been granted a new principal. There are also other cases when this may happen, such as a user updating their name etc.
我的主要问题是为什么MVC 2不屑使用对称加密?然后,为什么它关心的主要用户名称属性?
My main question is why does MVC 2 even bother using symmetric encryption? And then why does it care about the user name property on the principal?
如果我的理解正确,那么任何随机共享秘密就行了。其基本原理是用户将发送了一些特定的数据的cookie(仅Http!)。那么这个cookie需要匹配发送回与可能有副作用每个请求表单变量(POST的通常情况下)。由于这只是意味着从跨站攻击保护,很容易工艺起来,将很容易通过测试的回应,但前提是你必须完全访问的cookie。由于跨站点攻击者不会访问用户的cookie,你得到保护。
If my understanding is correct then any random shared secret will do. The basic principle is that the user will be sent a cookie with some specific data (HttpOnly!). This cookie is then required to match a form variable sent back with each request that may have side effects (POST's usually). Since this is only meant to protect from cross site attacks it is easy to craft up a response that would easily pass the test, but only if you had full access to the cookie. Since a cross site attacker is not going to have access to your user cookies you are protected.
通过使用对称加密,什么是检查cookie的内容的优势在哪里?也就是说,如果我已经发了的HttpOnly cookie中的攻击者无法覆盖它(除非浏览器有一个重大的安全问题),所以为什么我那么需要再次检查吗?
By using symmetric encryption, what is the advantage in checking the contents of the cookie? That is, if I already have sent an HttpOnly cookie the attacker cannot override it (unless a browser has a major security issue), so why do I then need to check it again?
有一个关于它的思考后,它似乎是这些案件'添加的安全层中的一个 - 但如果你的第一道防线有所下降(仅Http),那么攻击者将会得到过去的第二层反正他们可以完全访问用户的Cookie集合,而可能只是模仿他们直接,而是采用间接XSS / CSRF攻击。
After having a think about it it appears to be one of those 'added layer of security' cases - but if your first line of defence has fallen (HttpOnly) then the attacker is going to get past the second layer anyway as they have full access to the users cookie collection, and could just impersonate them directly, instead of using an indirect XSS/CSRF attack.
当然,我可能会错过一个主要问题,但我还没有找到它。如果有在这里打球一些明显或微妙的问题,那么我想知道他们。
Of course I could be missing a major issue, but I haven't found it yet. If there are some obvious or subtle issues at play here then I would like to be aware of them.
推荐答案
它被添加到提供更大的保护的情况下,你有一个子域试图攻击另一 - bad.example.com试图攻击good.example.com 。添加用户名使它更加困难bad.example.com联系good.example.com幕后,设法得到它产生代表您的令牌。
It was added to offer greater protection in the case where you have one subdomain trying to attack another - bad.example.com trying to attack good.example.com. Adding the username makes it more difficult for bad.example.com to contact good.example.com behind the scenes and try to get it to generate a token on your behalf.
展望未来,这是可能的,因为它不是绝对必要对系统的正常运作cookie将被删除。 (例如,如果您正在使用窗体身份验证,是的饼干可以作为反XSRF的cookie,而不是要求系统产生第二个cookie)。该Cookie可能只在的情况下发出匿名用户,例如。
Going forward, it's possible that the cookie will be removed as it's not strictly necessary for the proper functioning of the system. (For example, if you're using Forms Authentication, that cookie could serve as the anti-XSRF cookie instead of requiring the system to generate a second cookie.) The cookie might only be issued in the case of anonymous users, for example.
这篇关于MVC 2 AntiForgeryToken - 为什么对称加密+ IPrinciple?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
