生成加密安全认证令牌 [英] Generating cryptographically secure authentication tokens

问题描述

背景：

这是一个真正的通用最佳实践的问题，但对具体情况的背景可能会有所帮助：

我们正在为iPhone开发了连接应用程序。它会通过REST服务后端应用程序进行通信。为了不必每次启动应用程序时提示用户输入用户名和密码，我们会暴露出一个登录服务，验证上首次推出自己的用户名和密码，并返回一个可用于未来网络认证令牌真正的数据服务请求。该令牌可以有一个截止时间之后，我们会要求他们与他们的用户名/密码进行重新认证

问题： <

/ p>

什么是产生这种标记的最佳做法，以用于身份验证？

例如，我们可以...

• 散列（SHA-256等），随机字符串，并将其存储在数据库中用于与沿给定用户截止日期。请在后续请求令牌的一个简单的查询，以确保它匹配。


• Encrypte用户ID和一些附加信息（时间戳等）用一个密钥。解密在后续请求令牌，以确保它是由我们发出的。

这感觉就像它必须是一个解决问题。

解决方案

根据从其他这个问题的答案，更多的研究和离线讨论反馈，这里是我们落得这样做。 ..

据指出，很快的交互模型在这里基本上是完全一样的使用窗体身份验证在ASP.NET当记住我的模式复选框被选中。这只是不是一个Web浏览器使得HTTP请求。我们的票是equivilant到窗体身份验证设置cookie。 。窗体身份验证使用实质上是一种默认的做法用密钥加密一些数据

在我们的登录的Web服务，我们使用这个代码来创建一票：

 的String [] =用户数据新的字符串[4]; 
 
 //填写用户数据数组，我们需要后续请求的信息
用户数据[0] = ...; //数据我们需要
的UserData [1] = ...; //其它数据等
 
 //创建一个窗体身份验证票的用户名和用户数据。 
的FormsAuthenticationTicket formsTicket =新的FormsAuthenticationTicket（
 1，
的用户名，
 DateTime.Now，
 DateTime.Now.AddMinutes（DefaultTimeout），
真，
的string.join（UserDataDelimiter，用户数据）
）; 
 
 //加密票
串的encryptedTicket = FormsAuthentication.Encrypt（formsTicket）; 
  

然后我们对WCF服务的操作行为属性，它增加了一个IParameterInspector，检查一个有效的车票在请求的HTTP标头。开发商把那些需要身份验证操作此操作行为属性。下面是代码是如何解析票：

  //获取窗体身份验证票对象从加密的门票
回的FormsAuthenticationTicket formsTicket = FormsAuthentication.Decrypt（encryptedTicket中）; 
 
 //分割用户数据备份除了
的String [] =用户数据formsTicket.UserData.Split（新的String [] {} UserDataDelimiter，StringSplitOptions.None）; 
 
 //验证在票的用户名是与该请求
发送的用户名相匹配，如果（formsTicket.Name == expectedUsername）
 {
 //票是有效的
：
} 
  

Background:

This is really a general best-practices question, but some background about the specific situation might be helpful:

We are developing a "connected" application for the iPhone. It will communicate with the backend application via REST services. In order to not have to prompt the user for a username and password every time they launch the application, we will expose a "Login" service that validates their username and password on initial launch and returns an authentication token that can be used for future web service requests for real data. The token may have an expiration time after which we'll ask them to re-authenticate with their username/password.

The Question:

What are the best practices for generating this sort of token to be used for authentication?

For example, we could...

• Hash (SHA-256, etc) a random string and store it in the database for the given user along with an expiration date. Do a simple lookup of the token on subsequent requests to make sure it matches.
• Encrypte the user id and some additional information (timestamp, etc) with a secret key. Decrypt the token on subsequent requests to make sure it was issued by us.

This feels like it must be a solved problem.

解决方案

Based on the feedback from the other answers to this question, additional research, and offline discussions, here is what we ended up doing...

It was pointed out pretty quickly that the interaction model here is essentially exactly the same as the model used by Forms Authentication in ASP.NET when a "remember me" checkbox is checked. It's just not a web browser making the HTTP requests. Our "ticket" is equivilant to the cookie that Forms Authentication sets. Forms Authentication uses essentially an "encrypt some data with a secret key" approach by default.

In our login web service, we use this code to create a ticket:

string[] userData = new string[4];

// fill the userData array with the information we need for subsequent requests
userData[0] = ...; // data we need
userData[1] = ...; // other data, etc

// create a Forms Auth ticket with the username and the user data. 
FormsAuthenticationTicket formsTicket = new FormsAuthenticationTicket(
    1,
    username,
    DateTime.Now,
    DateTime.Now.AddMinutes(DefaultTimeout),
    true,
    string.Join(UserDataDelimiter, userData)
    );

// encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(formsTicket);

Then we have an operation behavior attribute for the WCF services that adds an IParameterInspector that checks for a valid ticket in the HTTP headers for the request. Developers put this operation behavior attribute on operations that require authentication. Here is how that code parses the ticket:

// get the Forms Auth ticket object back from the encrypted Ticket
FormsAuthenticationTicket formsTicket = FormsAuthentication.Decrypt(encryptedTicket);

// split the user data back apart
string[] userData = formsTicket.UserData.Split(new string[] { UserDataDelimiter }, StringSplitOptions.None);

// verify that the username in the ticket matches the username that was sent with the request
if (formsTicket.Name == expectedUsername)
{
    // ticket is valid
    ...
}

这篇关于生成加密安全认证令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！