客户端和服务器之间的安全连接 [英] Secure connection between client and server

问题描述

我正在开发一个服务器组件，它将为我的控制下的嵌入式客户端提供请求。

I'm developing a server component that will serve requests for a embedded client, which is also under my control.

现在一切都是测试版，安全性工作像这样：

Right now everything is beta and the security works like this:

1. 客户端通过https发送用户名/密码。

1. client sends username / password over https.

服务器返回访问令牌。

客户端使用自定义标头中的访问令牌进一步请求http。

client makes further requests over http with the access token in a custom header.

这是一个演示，但它有一些问题需要解决之前发布它：

This is fine for a demo, but it has some problems that need to be fixed before releasing it:

• 任何人都可以复制登录请求，重新发送并获取访问令牌。 / strike>由于有些用户回答说这不是一个问题，因为它超过了https。我的错误。

• Anyone can copy a login request, re-send it and get an access token back. As some users replied this is not an issue since it goes over https. My mistake.

只要检查请求标题，任何人都可以收听访问密钥。

Anyone can listen and get an access key just by inspecting the request headers.

我可以想到一个对称密钥加密，有一个时间戳，所以我可以拒绝重复的请求，但我想知道是否有一些众所周知的良好做法（这似乎一个很常见的）。

I can think of a symmetric key encryption, with a timestamp so I can reject duplicate requests, but I was wondering if there are some well known good practices for this scenario (that seems a pretty common).

非常感谢您的洞察力。

PS：我正在使用Java服务器和客户端都用C ++编码，以防万一。

PS: I'm using Java for the server and the client is coded in C++, just in case.

推荐答案

我没有得到第一部分如果登录请求是https，那么任何人都可以复制它？

I don't get the first part, If the login request is https, how can anyone just copy it?

关于第二部分，t 这是一个非常标准的会话劫持场景。请参阅此问题。当然，这里没有内置的浏览器选项，但基本思想是一样的 - 只要重要的是发送令牌，或者以某种方式将令牌与发送设备相关联。

Regarding the second part, t This is a pretty standard session hijacking scenario. See this question. Of course you don't have the built-in browser options here, but the basic idea is the same - either send the token only over a secure connection when it matters, or in some way associate the token with the sending device.

在浏览器中，基本上所有的都是IP地址（这不是很好），但在您的情况下，您可能能够表达您的设备的具体内容，验证该请求以确保不从其他地方使用相同的令牌。

In a browser, basically all you have is IP address (which isn't very good), but in your case you may be able to express something specific about your device that you validate against the request to ensure the same token isn't being used from somewhere else.

编辑：您可以幸运在这里，并可以排除IP地址更改后代理，并实际使用它为此目的。

You could just be lucky here and be able to rule out the IP address changing behind proxies, and actually use it for this purpose.

但是在一天结束时，使用https /来自一个着名的和被评估的图书馆，而不是试图在这里滚动自己。我意识到https是一个开销，但是滚动自己的风险很大，缺少一个攻击者可以利用的明显的东西。

But at the end of the day, it is much more secure to use https from a well-known and reviewed library rather than trying to roll your own here. I realize that https is an overhead, but rolling your own has big risks around missing obvious things that an attacker can exploit.

这篇关于客户端和服务器之间的安全连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！