没有SSL安全认证 [英] Secure authentication without SSL
问题描述
我开始写一个小的Web应用程序,并已开始考虑安全登录(仅用于管理)。
I'm starting to write a small web application and have started thinking about securing login (only used for administration).
如果我可以,我会安装一个CACERT或自签名的SSL证书,因为现在我是唯一一个登录,但我的主机是不是太宽松。
If I could, I'd install a CACert or self-signed SSL certificate, since for now I'll be the only one logging in, but my host isn't too accommodating.
是否有固定的网站没有SSL的合理的方案?我一直在思考的选项进行验证:
Are there any reasonable options for securing the site without SSL? I've been thinking about options for authentication:
-
实现在JavaScript中腌制的哈希值。当登录页面加载,生成盐服务器端。它发送到客户端中明确并将其存储在一个会话变量。
Implement a salted hash in JavaScript. When the login page is loaded, generate a salt server-side. Send it to the client in the clear and store it in a session variable.
摘要式身份验证。我刚刚发现这个想法浏览左右,它可能是一个很多比我自己的滚动AUTH比较合理的。
Digest authentication. I just found this idea browsing SO, and it's probably a lot more reasonable than rolling my own auth.
OpenID的。这是一个开放的标准,不需要密码(我可以劫持我的OpenID提供商的SSL加安全登录过程),但我不知道OpenID的是如何工作的,或安全性如何。 (需要研究,例如,可以一个OpenID认证重播?)
OpenID. It's an open standard, no passwords are required (and I can "hijack" my OpenID provider's SSL to add security to the login process), but I have no idea how OpenID works or how secure it is. (Needs research. For example, can an OpenID authentication be replayed?)
与所有的这些问题是:
- 会话可以劫持
- 只有在登录是安全的,其他的一切都是在明确
我能想到的登录后固定的应用程序的唯一选项是ASCII的一些恶心的JavaScript和PHP发送加密斑点来回。我不想这样做。
The only option I can think of for securing the app after login is some disgusting JavaScript and PHP sending encrypted blobs of ASCII back and forth. I don't want to do this.
有没有加密(用于pageloads和信息),可以在选择我的服务器端脚本语言来实现,而不祝福还是我的主机的参与,但是这将被浏览器的支持?可以从会话劫持(几乎)固定不SSL?
Is there any encryption (for pageloads and POSTs) that can be implemented in my server-side scripting language of choice without the blessing or involvement of my host, but that would be supported by the browser? Can sessions be secured from hijacking (practically) without SSL?
您会在这样的情况下怎么办?
What would you do in a situation like this?
推荐答案
您可以无需实施打击窃听保护安全的身份验证。例如,您可以发送请求prevent别人,即使他们能读您的要求的内容。如果你需要防止窃听,我建议只去什么地方,你可以使用SSL。
You can securely authenticate without needing to implement protection against eavesdropping. For example, you can prevent others from sending requests, even though they can read the contents of your requests. If you need to protect against eavesdropping, I'd recommend just going somewhere where you can use SSL.
如果你只需要简单的身份验证没有真正的安全,你的供应商可能会支持HTTP基本。这(连同一个很好的设计限制了能力和备份)。是一个合理的过渡解决方案,而你担心其他问题
If you just need simple authentication without real security, your provider will probably support HTTP Basic. This (along with a good design which limits capabilities, and backups ;) is a reasonable interim solution while you worry about other problems.
有关验证你的身份,OpenID的不能被重播。每个身份验证顺序签署。然而,OpenID的本身仅允许您与服务器建立你的身份。它不会让你签或以其他方式进行身份验证的请求。 OAuth的会,但它需要传输加密的协议的一部分。
For authenticating your identity, OpenID can't be replayed. Each authentication sequence is signed. However, OpenID by itself only lets you establish your identity with the server. It won't let you sign or otherwise authenticate a request. OAuth would, but it requires transport encryption for part of the protocol.
您可以签订共享密钥每个请求。这将prevent攻击者提交或重放的请求,但是请求本身仍然可以通过窃听者读取。参见亚马逊AWS认证(包括客户端库)或Flickr的认证文件。基本的协议是:
You could sign each request with a shared secret. This would prevent an attacker from submitting or replaying a request, but the requests themselves can still be read by an eavesdropper. See the documentation for Amazon AWS authentication (which includes client libraries) or flickr's authentication. The basic protocol is:
- 需要一个时间戳(和可能是一个随机数)请求参数
- 正常化,排序连接所有请求参数
- 连接具有URI,主机,动词等。
- 散与密钥
- 在标头中发送哈希与要求
- 服务器不相同,比较签名
这篇关于没有SSL安全认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
