在应用程序中实现(安全)Api密钥 [英] Implementing (secure) Api Keys in an app

问题描述

我编写了一个Web应用程序，我希望允许其他开发人员从中获取信息.

I wrote a Web Application and I would like to allow other developers to get the information from it.

我正在使用的服务器不是那么糟糕，无法处理那么多请求，因此，其想法是为希望查询我们信息的每个人生成并分配api密钥.使用Api密钥，我可以限制每天的请求，也许可以收集一些统计信息，以查看哪些信息对其他开发人员真正有用.

The server Im working on is not that awsome and cant handle that many request, so the idea is to generate and assign api keys to everyone that wants to query our information. With Api keys I can limit the daily requests and perhaps collect some statistics to see what information is really useful for the other developers.

问题是，我担心它的安全性.由于Api密钥将通过GET/POST等发送到我们的服务器，因此有人可以通过Wireshark嗅探请求，而无需付出太多努力就可以获得开发人员API密钥，对吧?

The thing is, Im concerned about the security aspect of it. Since the Api key is going to be sent to our server (via GET/POST etc), someone could sniff the request with wireshark and get the developers API key without much effort, right?

我考虑过要生成一个秘密密钥和一个API密钥.然后，我可以指示其他开发人员将它们连接起来，并将其哈希值发送到我们的API.然后，我将验证该散列是否有效并允许该请求...但是随后，同样的问题将继续存在.黑客仍然可以嗅探该哈希值，并代表其他开发者的应用程序发出请求.

I thought about generating a secret key and an API key. I could then instruct the other developers to concatenate them and send a hash of it to our API. I would then validate that the hash is valid and allow the request... But then the same problem would persist. A hacker could still sniff that hash and make requests on behalf of the other developer's app.

所以我的问题是

• 如何避免这个问题?
• 或更妙的是，我的担忧是否仍然有效?这是一个真正的问题吗?
• 是否存在一种更好，更安全的方法来允许访问我的信息，而又不会使其他开发人员变得太复杂?

你们怎么看?

推荐答案

我认为您正在尝试在这里解决一系列不同的问题.

I think you're trying to solve a bunch of different questions here.

如果您的目标是限制对服务器的请求数，则应创建一个限制机制.这并非易事，但我将其基于IP地址而不是许可证密钥-单个许可用户可能会因大量请求而使您的系统陷入瘫痪.您可以按IP地址进行限制，而无需实施许可机制.

If your objective is to limit the number of requests to your server, you should create a throttling mechanism. This is non-trivial, but I'd base it on IP address rather than a license key - a single licensed user might swamp your system with lots of requests. You can throttle by IP address without implementing a license mechanism.

如果要创建许可方案，则需要了解加密技术等.这不是一个简单的问题.例如，您如何阻止合法用户与所有朋友共享他们的许可证密钥?您如何阻止黑客窃取您的密钥并与他的所有朋友共享?

If you want to create a licensing scheme, you need to understand cryptography etc. - it's a non-trivial problem. For instance, how do you stop a legitimate user sharing their license key with all their friends? How do you stop a hacker from stealing your key and sharing it with all of his friends?

有很多解决方案-它们都会给您的用户带来一定程度的痛苦.例如，您可以在HTTPS上运行服务；这将停止监听，但会降低性能.您可以为您的服务发行令牌"，这些令牌在一定次数的使用后会失效；获取新令牌需要进行密码交换(这可能会检查您的IP地址).您可能需要挑战/响应"类型的逻辑(包括IP地址验证).所有这些步骤使用户的生活更加艰辛.他们可能不会非常感谢您所做的额外工作.

There are a number of solutions to this - they all impose some degree of pain on your users. For instance, you can run your service on HTTPS; this stops snooping, but reduces performance. You can issue "tokens" for your service which expire after a certain number of uses; getting new tokens requires a cryptographic exchange (which might check your IP address). You might require a "challenge/response" type of logic (including an IP address validation). All these steps make life harder for your users; they probably won't thank you much for the extra work they have to do.

这篇关于在应用程序中实现(安全)Api密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！