将DropBox中的OAuth凭据安全地存储在数据库中以备以后使用 [英] Storing the OAuth credentials from DropBox securely in a Database for later use

问题描述

我正在构建一个使用DropBox API将数据保存到用户文件夹的Web应用程序。该站点有两部分：一个ASP.NET MVC前端和一个Windows服务。目前，我正在计划将oauth字符串和用户Id从授权请求转储到数据库，并在服务和网站调用中使用，但是我应该如何存储这些信息？我应该加密吗？如果是，有什么建议如何？例如，如果数据库被加密，我如何存储加密密钥？

I am building a web app which will use the DropBox API to save data to a users folder. There are 2 parts to the site: an ASP.NET MVC Front End and a Windows Service. At the moment, I was planning on dumping the oauth string and user Id from the authorisation request to database, and use that in both the service and website calls, but how should I store that information? Should I encrypt it or not? And if so, any recommendations on how? For example, if the database is encrypted, how do I store the Encryption key?

推荐答案

您是否希望始终可以访问用户的收件箱帐户，或者只有当您的系统被丢弃时才能访问？因为你想存储o-auth令牌，我假定是前者。在这种情况下，请参阅下面的加密讨论，为什么你不能真正加密它。然而，我建议您采取更安全的路线，只有在用户被搁置或不久之后（即不存储持久的认证令牌）时，才能访问下拉框。

Do you want to always have access to the user's drop box account or only when they are loged in to your system ? I assume the former since you want to store the o-auth token. In that case see the encryption discussion below for why you can't really encrypt it. I'd suggest however, that you take the safer route and only access drop box either when the user is loged in or shortly their after (i.e. don't store persistent auth tokens )

当用户登录时，从保管箱中获取一个oauth令牌，使用它来执行任何他们想要的动作，如果需要的话，请保留它注销以继续执行任务（后台同步或某事）。但是，一旦最后一个任务完成，删除令牌。这意味着如果您的服务器受到威胁，则只会暴露用户或最近出现的用户。它是一个缓解，但它是最好的你可以得到。

When the user logs in, get an oauth token from the dropbox, use it to perform whatever actions they want and if necessary keep it around after the log out to keep doing tasks ( background sync or something). However, once that last task finishes, delete the token. This means that if your server is compromised only the loged in users or those that recently loged out are exposed. Its a mitigation, but its the best you can get.

我相信你可以做这个o-auth没有明确地提示用户一个新的标记每次。如果没有，我知道你可以用opendID来做，尽管我可以看到下拉框不允许。

I believe you can do this with o-auth without explicitly prompting the user for a new token every time. If not, I know you can do it with opendID, though I could see drop box not allowing that.

最后，如果这两个都没有，你可以存储o -auth密钥通过使用PBKDF2（如5000次迭代）从用户密码派生的密钥持久加密。当他们登录时，你解密它，使用它，然后删除明文副本。缺点是1）密码重置需要一个新的o-auth令牌，因为您不再拥有密钥，2）用户必须登录到您的站点本身并提供密码，以便您可以导出密钥。他们不能使用openid。

Finally, if neither of those works, you could store the o-auth key persistently encrypted under a key derived from the users password with say PBKDF2(with like 5000 iterations). When they log in, you decrypt it, use it, and then delete the cleartext copy. The downside to this is 1) password resets require a fresh o-auth token since you no longer have their key and 2) the user must log into your site itself and give you a password so you can derive the key. They cannot use openid.

如果要持续访问oauth tokem，您无法真正进行有意义的加密。正如你所说，你在哪里存储钥匙？对于Web服务，没有好的答案。对于最终用户系统，答案是从您不能存储的用户密码导出密钥（这是最后通行证）。您不能这样做，因为即使没有结束（wepapp）用户，也想访问数据。

If you want continual access to the oauth tokem you can't really do meaningful encryption. As you said, where would you store the key ? For a web service, there is no good answer. For an end user system, the answer is derive the key from the user's password which you the must not store(this is what lastpass does). You can't do this because you want to have access to the data even when the end (wepapp) users are not loged in.

好的，sysadmin的密码怎么办？既然服务器一直运行，这是毫无价值的，因为妥协仍然会揭示钥匙。更糟糕的是，重新启动会占用您的应用程序，因为它需要sys admin密码来解密其数据，并且在系统在凌晨3点崩溃时不太可能。

Ok, what about the sysadmin's password? Well since the server is running all the time, this is worthless since a compromise would still reveal the keys. Worse, reboots would take down your app because it needs the sys admin's password to decrypt its data and they are not likely their when the system crashes at 3am.

他们使<一个href =http://en.wikipedia.org/wiki/Hardware_security_module =nofollow>硬件安全模块，用于存储密钥并与其进行加密操作，所以攻击者可以获得密钥，因为它永远不会离开HSM。但是，攻击者只能要求TPM解密o-auth字符串。你可以做的最好的是速率限制这一点，所以一个攻击只能得到1000个令牌一个小时（显​​然，这个速率需要更大的合法使用）。鉴于HSMs是昂贵的，并且由于您需要专用系统而使托管成本高昂，这是不值得的。

They make Hardware Security Modules that store keys and perform crypto operations with them, so an attacker could get the key because it never leaves the HSM. However, an attacker could just ask the TPM to decrypt the o-auth string. The best you could do was rate limit this so an attack could only get like 1000 tokens an hour (obviously that rate needs to be larger that legit usage). Given that HSMs are expensive and make hosting expensive because you need a dedicated system, this is not worth it.

在理想的世界中，您将使用 TPM 来保存密钥，并且只有在系统不受影响的情况下才释放该数据。不幸的是，TPM目前只支持验证正确的程序（例如引导加载程序，然后是内核，然后是用户陆地程序）是否被加载。如果该程序在加载之后被破坏，那么它们就不会做任何事情，这是这里的威胁载体。这可能会在接下来的5到10年内发生变化，但现在不能帮助你。

In an ideal world, you'd use a TPM to hold the keys and have it only release the data if the system is not compromised. Unfortunately, TPM's currently only support verifying that the correct program (e.g. the boot-loader,then kernel, then user land program) was loaded. They do nothing if that program is compromised after it is loaded, which is the threat vector here. This might change in the next 5 to 10 years, but that does not help you now.

这篇关于将DropBox中的OAuth凭据安全地存储在数据库中以备以后使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！