如果一次只能使用一次,那么OAuth中时间戳的意义是什么? [英] What's the point of a timestamp in OAuth if a Nonce can only be used one time?
问题描述
起初,我误解了OAuth的时间戳实现,以为这意味着不超过当前时间30秒的时间戳将被拒绝,事实证明这是错误的,原因有很多,其中包括我们可以不保证每个系统时钟都可以同步到分钟和秒,无论时区如何.然后,我再次阅读以得到更多的清晰度:
I had at first misinterpreted the timestamp implementation of OAuth into thinking that it meant a timestamp that was not within 30 seconds past the current time would be denied, it turned out this was wrong for a few reasons including the fact that we could not guarantee that each system clock was in sync enough down to the minutes and seconds regardless of time zone. Then I read it again to get more clarity:
"除非服务提供商另行指定,否则时间戳为 以格林尼治标准时间1970年1月1日00:00:00以来的秒数表示. 时间戳记值必须为正整数,且必须等于或 大于先前请求中使用的时间戳."
"Unless otherwise specified by the Service Provider, the timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT. The timestamp value MUST be a positive integer and MUST be equal or greater than the timestamp used in previous requests."
源: http://oauth.net/core/1.0/#nonce
平均时间戳仅与来自同一源的先前请求进行比较,而不与我的服务器系统时钟进行比较.
Meaning the timestamps are only compared in relation to previous requests from the same source, not in comparison to my server system clock.
Then I read a more detailed description here: http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iii-security-architecture/
( TL; DR?-跳到下面的粗体部分)
(TL;DR? - skip to the bold parts below)
为防止再次使用(重播)已泄露的请求, OAuth使用随机数和时间戳.术语随机数"表示已使用的数字 一次",并且是唯一且通常是随机的字符串,旨在 唯一地标识每个已签名的请求.通过具有唯一标识符 对于每个请求,服务提供商都可以阻止请求 不会被多次使用. 这意味着消费者生成了一个 发送给服务提供商的每个请求的唯一字符串,以及 服务提供商跟踪用于防止它们发生的所有随机数 避免再次使用.由于现时值包含在 签名,攻击者就无法在不知道签名的情况下对其进行更改. 共享秘密.
To prevent compromised requests from being used again (replayed), OAuth uses a nonce and timestamp. The term nonce means ‘number used once’ and is a unique and usually random string that is meant to uniquely identify each signed request. By having a unique identifier for each request, the Service Provider is able to prevent requests from being used more than once. This means the Consumer generates a unique string for each request sent to the Service Provider, and the Service Provider keeps track of all the nonces used to prevent them from being used a second time. Since the nonce value is included in the signature, it cannot be changed by an attacker without knowing the shared secret.
使用随机数对于服务提供商而言可能会非常昂贵 永久存储收到的所有随机数值.使 实施更容易,OAuth会为每个请求添加一个时间戳值 这允许服务提供商仅保留 有限的时间. 当请求中带有较旧的时间戳记时 超过保留的时间范围,则拒绝作为服务提供者 从该时间段开始不再具有随机数.可以肯定地说 在允许的时间限制后发送的请求是重播攻击. OAuth 提供了实现时间戳的通用机制,但留下了 实际实施情况取决于每个服务提供商(一个区域 相信应该由规范重新审视).来自证券 观点来看,真正的现时是时间戳值的组合 和nonce字符串.只有在一起,它们才能提供永久的独特价值 攻击者永远无法再次使用它.
Using nonces can be very costly for Service Providers as they demand persistent storage of all nonce values received, ever. To make implementations easier, OAuth adds a timestamp value to each request which allows the Service Provider to only keep nonce values for a limited time. When a request comes in with a timestamp that is older than the retained time frame, it is rejected as the Service Provider no longer has nonces from that time period. It is safe to assume that a request sent after the allowed time limit is a replay attack. OAuth provides a general mechanism for implementing timestamps but leaves the actual implementation up to each Service Provider (an area many believe should be revisited by the specification). From a security standpoint, the real nonce is the combination of the timestamp value and nonce string. Only together they provide a perpetual unique value that can never be used again by an attacker.
我感到困惑的原因是,如果仅使用一次Nonce,为什么服务提供商会根据时间戳拒绝? 服务提供商从该时间段开始不再具有随机数"令我感到困惑,听起来好像只要在上次使用它的30秒之内,就可以重新使用随机数.
The reason I am confused is if the Nonce is only used once, why would the Service Provider ever reject based on timestamp? "Service Provider no longer has nonces from that time period" is confusing to me and sounds as if a nonce can be re-used as long as it is within 30 seconds of the last time it was used.
那么有人可以帮我解决这个问题吗?如果随机数是一次性使用的,并且我没有将时间戳与自己的系统时钟进行比较,那么时间戳的意义是什么(因为这显然是不可靠的).时间戳只是彼此相关,这是有道理的,但是对于唯一的随机数要求,它似乎无关紧要.
So can anyone clear this up for me? What is the point of the timestamp if the nonce is a one time use and I am not comparing the timestamp against my own system clock (because that obviously would not be reliable). It makes sense that the timestamps will only be relative to each other, but with the unique nonce requirement it seems irrelevant.
推荐答案
时间戳用于允许服务器优化其随机数的存储.基本上,将读取的随机数视为时间戳和随机字符串的组合.但是通过拥有单独的时间戳组件,服务器可以使用较短的窗口(例如15分钟)实施基于时间的限制,并限制所需的存储量.如果没有时间戳,则服务器将需要无限的存储空间以保持曾经使用的每个随机数.
The timestamp is used for allowing the server to optimize their storage of nonces. Basically, consider the read nonce to be the combination of the timestamp and random string. But by having a separate timestamp component, the server can implement a time-based restriction using a short window (say, 15 minutes) and limit the amount of storage it needs. Without timestamps, the server will need infinite storage to keep every nonce ever used.
比方说,您决定允许时钟与客户端之间的时间差最多达到15分钟,并跟踪数据库表中的随机数值.该表的唯一键将是客户端标识符",访问令牌",随机"和时间戳"的组合.收到新请求时,请检查时间戳记是否在时钟的15分钟内,然后在表中查找该组合.如果找到,请拒绝该调用,否则将其添加到表中并返回所请求的资源.每次将新的随机数添加到表中时,请删除该客户端标识符"和访问令牌"组合的时间戳超过15分钟的任何记录.
Let's say you decide to allow up to 15 minutes time difference between your clock and the client's and are keeping track of the nonce values in a database table. The unique key for the table is going to be a combination of 'client identifier', 'access token', 'nonce', and 'timestamp'. When a new request comes in, check that the timestamp is within 15 minutes of your clock then lookup that combination in your table. If found, reject the call, otherwise add that to your table and return the requested resource. Every time you add a new nonce to the table, delete any record for that 'client identifier' and 'access token' combination with timestamp older than 15 minutes.
这篇关于如果一次只能使用一次,那么OAuth中时间戳的意义是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
