API密钥和秘密密钥如何工作?如果必须将我的API和秘密密钥传递给另一个应用程序,这是否安全? [英] How do API Keys and Secret Keys work? Would it be secure if I have to pass my API and secret keys to another application?
问题描述
我刚刚开始考虑api密钥和秘密密钥是如何工作的.就在2天前,我注册了Amazon S3,并安装了 S3Fox插件.他们要求我同时提供我的访问密钥和秘密访问密钥,这两个都需要我登录才能访问.
I am just starting to think about how api keys and secret keys work. Just 2 days ago I signed up for Amazon S3 and installed the S3Fox Plugin. They asked me for both my Access Key and Secret Access Key, both of which require me to login to access.
所以我想知道,如果他们要我提供我的秘密密钥,他们一定会将它存储在正确的位置吗?问我输入我的信用卡号或密码并将其存储在他们自己的数据库中基本上不是同一回事吗?
So I'm wondering, if they're asking me for my secret key, they must be storing it somewhere right? Isn't that basically the same thing as asking me for my credit card numbers or password and storing that in their own database?
秘密密钥和api密钥应该如何工作?他们需要成为多秘密?这些使用秘密密钥的应用程序是否以某种方式存储它?
How are secret keys and api keys supposed to work? How secret do they need to be? Are these applications that use the secret keys storing it somehow?
推荐答案
Here's how it works: let's say we have a function that takes a number from zero through nine, adds three and, if the result is greater than ten, subtracts ten. So f(2) = 5, f(8) = 1, etc. Now, we can make another function, call it f', that goes backwards, by adding seven instead of three. f'(5) = 2, f'(1) = 8, etc.
这是双向函数及其逆函数的示例.从理论上讲,将一个事物映射到另一事物的任何数学函数都可以颠倒.不过,实际上,您可以创建一个函数来对输入进行很好的加扰,以至于难以逆转.
That's an example of a two-way function and its inverse. Theoretically, any mathematical functions that maps one thing to another can be reversed. In practice, though, you can make a function that scrambles its input so well that it's incredibly difficult to reverse.
接受输入并应用单向功能称为散列"输入,而Amazon在其系统上存储的是您的秘密密钥的散列". SHA1是这种单向"功能的一个示例,它还可以抵抗攻击.
Taking an input and applying a one-way function is called "hashing" the input, and what Amazon stores on their system is a "hash" of your secret key. SHA1 is an example of this kind of "one-way" function, it's also hardened against attacks.
HMAC函数建立在已建立的哈希函数上,以使用已知的密钥对密钥进行身份验证文字字符串.它是这样的:
The HMAC function builds on established hash functions to use a known key to authenticate a string of text. It works like this:
- 您获取请求的文本和密钥,然后应用HMAC功能.
- 您将身份验证标头添加到您的请求中,并将其发送到Amazon.
- Amazon查找密钥的副本以及您刚刚发送的文本并应用HMAC功能.
- 如果结果匹配,他们就会知道您具有相同的密钥.
此方法与PKI之间的区别在于此方法为 RESTful ,允许最少数量的系统与Amazon服务器之间的交换.
The difference between this and PKI is that this method is RESTful, allowing a minimum number of exchanges between your system and Amazon's servers.
与那基本上不是一回事 询问我的信用卡号 或密码并将其存储在他们的 自己的数据库?
Isn't that basically the same thing as asking me for my credit card numbers or password and storing that in their own database?
是的,尽管某人可以对S3造成的损害似乎仅限于耗尽您的帐户.
Yes, though the damage someone can do with S3 seems to be limited to draining your account.
他们需要成为多秘密?是 这些使用秘密的应用程序 密钥以某种方式存储它?
How secret do they need to be? Are these applications that use the secret keys storing it somehow?
在某些时候,您将必须加载密钥,并且在大多数基于Unix的系统上,如果攻击者可以获得root用户访问权限,则他们可以获得密钥.如果对密钥进行加密,则必须具有解密它的代码,并且在某些时候解密代码必须是纯文本,以便可以执行.除了您拥有计算机外,这与DRM的问题相同.
At some point, you're going to have to load the secret key, and with most Unix based systems, if an attacker can get root access they can get the key. If you encrypt the key, you have to have code to decrypt it, and at some point the decryption code has to be plain text so it can be executed. This is the same problem DRM has, except that you own the computer.
在许多情况下,我只是将秘密密钥放入权限受限的文件中,并采取通常的预防措施来防止系统被植根.有一些技巧可以使它在多用户系统上正常工作,例如避免使用临时文件等.
In many cases, I just put secret keys in a file with limited permissions, and take the usual precautions to prevent my system from being rooted. There are a few tricks to make it work properly with a multiuser system, such as avoiding temporary files and such.
这篇关于API密钥和秘密密钥如何工作?如果必须将我的API和秘密密钥传递给另一个应用程序,这是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
