WebSocket框架中的遮罩是什么? [英] What is the mask in a WebSocket frame?

问题描述

我正在研究websocket的实现，不知道框架中的遮罩感觉是什么.

I am working on a websocket implementation and do not know what the sense of a mask is in a frame.

有人可以解释一下它的作用以及为什么推荐它吗?

Could somebody explain me what it does and why it is recommend?

  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-------+-+-------------+-------------------------------+
 |F|R|R|R| opcode|M| Payload len |    Extended payload length    |
 |I|S|S|S|  (4)  |A|     (7)     |             (16/64)           |
 |N|V|V|V|       |S|             |   (if payload len==126/127)   |
 | |1|2|3|       |K|             |                               |
 +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - +
 |     Extended payload length continued, if payload len == 127  |
 + - - - - - - - - - - - - - - - +-------------------------------+
 |                               |Masking-key, if MASK set to 1  |
 +-------------------------------+-------------------------------+
 | Masking-key (continued)       |          Payload Data         |
 +-------------------------------- - - - - - - - - - - - - - - - +
 :                     Payload Data continued ...                :
 + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
 |                     Payload Data continued ...                |
 +---------------------------------------------------------------+

推荐答案

Websocket在RFC6455中定义，该声明在第5.3节:

Websockets are defined in RFC6455, which states in Section 5.3:

屏蔽密钥的不可预测性是 防止恶意应用程序的作者选择必不可少的 导线上显示的字节.

The unpredictability of the masking key is essential to prevent authors of malicious applications from selecting the bytes that appear on the wire.

在关于Websocket的博客条目中，我找到了以下解释:

In a blog entry about Websockets I found the following explanation:

masking-key(32位):如果设置了mask位(并且相信我，这是如果您为服务器端编写的)，则可以在此处读取用于对有效负载进行异或的无符号字节. 它用于确保卑鄙的代理不会被客户端的攻击者滥用.

但我在邮件列表档案中找到的最明确的答案.约翰·坦普林(John Tamplin)说:

But the most clearly answer I found in an mailing list archive. There John Tamplin states:

基本上，WebSockets是唯一的，因为您需要保护网络 基础结构，即使您在客户端中运行了恶意代码，也已满 对服务器的敌对控制，唯一可以信任的是 客户端浏览器. 通过让浏览器为每个浏览器生成一个随机掩码 框架，敌对的客户端代码无法选择出现的字节模式 并利用它来攻击易受攻击的网络基础架构.

Basically, WebSockets is unique in that you need to protect the network infrastructure, even if you have hostile code running in the client, full hostile control of the server, and the only piece you can trust is the client browser. By having the browser generate a random mask for each frame, the hostile client code cannot choose the byte patterns that appear on the wire and use that to attack vulnerable network infrastructure.

如kmkaplan所述，攻击媒介在攻击者的第10.3节中进行了描述. RFC.
这是一种防止代理缓存中毒攻击的措施(请参阅有关攻击的文件). 它的作用是创建一些随机性.您必须将有效负载与随机屏蔽密钥进行异或.

As kmkaplan stated, the attack vector is described in Section 10.3 of the RFC.
This is a measure to prevent proxy cache poisoning attacks (see Paper about the attack). What it does, is creating some randomness. You have to XOR the payload with the random masking-key.

顺便说一句:不只是推荐.这是必填.

By the way: It isn't just recommended. It is obligatory.

这篇关于WebSocket框架中的遮罩是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！