这是保护数据Feed的明智方法吗？ [英] Is this a wise way to protect a datafeed?

问题描述

我一直在想方法来保护我的datafeed（json字符串）从第三方应用程序和网站使用它。

I've been thinking of a way to protect my datafeed(json strings) from third party apps and websites using it.

所以我想出了一种方式

客户端

int passcode, int dateint
passcode = 15987456 //random static code
dateint = 20112805 // todays date all stuck together

return (((Integer.parseint(passcode + "" + dateint) * 9)/2)*15)/3  // stick the 2 numbers together and do random math on it.

在服务器端php

$passcode = 15987456 //random static code
$key = $_POST['key'];
$key = ((($key  / 9) * 2) / 15) * 3; // reverse the random math
if(substr($key, 0, strlen($passcode)) === $passcode){
    $dateyear = substr($key, strlen($passcode), 4);
    $datemonth = substr($key, strlen($passcode)+4, 2);
    $dateday = substr($key, strlen($passcode)+6, 2);
    if(!($dateyear === date(Y) && $datemonth === date(m) && $datedate === date(d))){
       die("access denied");
    }
}

最终，可以从另一个页面获取随机静态密码它可以是动态的...

eventually the random static passcode could be fetched from another page and it could then be dynamic...

不介意语法/编码错误。只是写这个在我的头顶部。

don't mind syntax/coding errors. just wrote this off the top of my head.

推荐答案

我看到三个直接问题：

• 我理解你的代码只是一个例子，但你的随机数学不是很随机： x * 9/2 * 15/3 == x * 22.5 。如果有人想破坏他们会。使用真正的加密算法，如md5或sha将更安全。


• 在算法中使用今天的日期不是很可靠：客户端可能在世界的另一端


• 最后，如果有权使用数据Feed的网站是公共网站，任何人都可以查看

• I understand your code is just an example, but your random math isn't very random: x*9/2*15/3 == x*22.5. If someone wants to break that they will. Using a real cryptographic algorithm like md5 or sha would be much more secure.
• Using today's date in the algorithm isn't very reliable: the client could be on the other side of the world where it's already tomorrow or still yesterday, or the client computer's clock might just be plain off.
• Finally, if the site that's authorized to use the data feed is a public site, anyone can just look at the JavaScript code and check what the protection algorithm is, making even the most (otherwise) secure algorithm useless.

这里有一个例子，演示为什么键是非常容易破解。如果您连续几天运行算法，您会得到：

Here's an example that demonstrates why the key is very easy to crack. If you run the algorithm with a couple of consecutive days you get:

20110905:  2235971776452495360
20110906:  2235971776452495388
20110907:  2235971776452495410
20110908:  2235971776452495428
20110909:  2235971776452495452

在今天和明天之间是28，明天和后22天，然后18，然后24 ...有一个明确的模式，有没有需要观察代码很长时间，你看到它之前。恶意方可以尝试几个匹配模式的数字，并很快击中正确的一个。

The difference between today and tomorrow is 28, between tomorrow and the day after 22, then 18, then 24... There's a clear pattern there and you don't need to observe the code for very long before you see it. The malicious party can just try a couple of numbers that match the pattern and hit the right one very soon.

这篇关于这是保护数据Feed的明智方法吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！