TLS是否确保RESTful Java企业中的消息完整性和数据传输的机密性 [英] Does TLS ensure message integrity and confidentiality of data transmission in a RESTful Java enterprise
问题描述
我想根据 OWASP Web服务安全性来应用Web服务安全性。因此我偶然发现了两点:
到目前为止,只有RESTful服务可以由客户端直接访问。对于每个请求,客户端都需要服务器进行身份验证。所有通信均通过TLS保护。我现在不确定 消息完整性 ,因为我听不懂这句话:
< blockquote>
使用公钥加密时,加密确实可以保证机密性,但不能保证完整性,因为
接收者的公钥是公开的。出于同样的原因,加密
不能确保发送者的身份。
是否还需要数据是否由客户端签名以确保消息完整性? TLS只是 点对点 ,关于代理是什么?
关于 消息机密性 ,我对此了解如下。
- 使用TLS来确保消息
- 使用对称加密来加密传输的数据。
- 加密后的数据存储在数据库中。
我知道吗?
从 TLS规范:
TLS协议的主要目标是在两个通信应用程序之间提供隐私和数据
完整性。 [...]
-
连接是私有的。对称加密用于
数据加密(例如DES [DES],RC4 [SCH]等)。 [...] -
连接可靠。消息传输包括使用键控MAC的消息
完整性检查。安全散列函数(例如
SHA,MD5等)用于MAC计算。记录
协议可以在没有MAC的情况下运行,但是通常仅在
这种模式下使用,而另一个协议使用记录协议作为
传输来协商安全参数。
因此,是的,TLS将在消息传输过程中为您提供消息的完整性和机密性,前提是
特别是,客户端需要验证证书以确保它与正确的服务器通信(验证证书是真实的并由
- 使用TLS来确保消息是可信的。
- 使用对称加密来加密传输的数据。
TLS将通过加密提供机密性。 (您需要使用适当的密码套件,尤其是匿名密码套件或加密套件不会使加密为空,但是默认情况下始终如此。)
- 加密的数据存储在数据库中。
如果要加密数据库中的数据,那就是另一个问题。 TLS仅在传输过程中为您提供完整性和机密性。
TLS仅是点对点的,代理是什么?
>
HTTP代理仅按原样中继TLS流量,而无需调查或更改它。 (某些代理服务器可以拦截流量,但是除非您忘记检查证书,否则证书验证将失败。)
I want to apply web service security according to OWASP Web Service Security. Thereby I stumbled over the two points:
So far there is just a RESTful service which can be directly accessed by a client. For each request the client needs to authenticate by the server. All communication is secured via TLS. I'm now unsure about Message Integrity since I don't understand the sentence:
When using public key cryptography, encryption does guarantee confidentiality but it does not guarantee integrity since the receiver's public key is public. For the same reason, encryption does not ensure the identity of the sender.
Is it also required that the data was signed by the client in order that message integrity is ensured? TLS is only point-to-point, what is about proxies?
Concerning Message Confidentiality, I understood it as follows.
- Use TLS to ensure message confidentiality over the wire.
- Use a symmetric encryption to encrypt the transmitted data.
- The encrypted data get stored in data base.
Did I understand that right?
From the TLS specification:
The primary goal of the TLS Protocol is to provide privacy and data integrity between two communicating applications. [...]
The connection is private. Symmetric cryptography is used for data encryption (e.g., DES [DES], RC4 [SCH] etc.). [...]
The connection is reliable. Message transport includes a message integrity check using a keyed MAC. Secure hash functions (e.g., SHA, MD5, etc.) are used for MAC computations. The Record Protocol can operate without a MAC, but is generally only used in this mode while another protocol is using the Record Protocol as a transport for negotiating security parameters.
So, yes, TLS will provide you with integrity and confidentiality of the message during its transport, provided that it was used correctly.
In particular, the client needs to verify the certificate to ensure it is communicating with the right server (verifying that the certificate is genuine and issued by a trusted party, and issued to the host name it intended to contact).
- Use TLS to ensure message confidentiality over the wire.
- Use a symmetric encryption to encrypt the transmitted data.
TLS will provide confidentiality via encryption. (You need to use an appropriate cipher suite, in particular not a anonymous cipher suite or a cipher suite will null encryption, but that's always the case by default.)
- The encrypted data get stored in data base.
If you want to encrypt the data in your database, that's a different problem. TLS only provides you with integrity and confidentiality during transport. Once it's handled by your web application, it's deciphered.
TLS is only point-to-point, what is about proxies?
HTTP proxies only relay the TLS traffic as-is, without looking into it or altering it. (Some proxy servers can intercept the traffic, but the certificate verification would fail, unless you forget to check the certificate.)
这篇关于TLS是否确保RESTful Java企业中的消息完整性和数据传输的机密性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
