Amazon Rest Service身份验证和安全性 [英] Amazon rest service authentication and security

问题描述

我正在阅读有关Amazon的身份验证过程的信息，他们使用自定义过程对每个请求进行签名.

I was reading about amazon's authentication process, and they use a custom process wich signs each request.

• 我仍然不知道如何从中间人攻击中停止每个请求的签名，因为看到该请求并看到签名的每个人都可以再次发出相同的请求.

• I still don't understand how signing every requests stops from a man-in-the-middle atack, since everyone who sees the request and sees the signature, can issue the same request again.

如果有人分享一些有关安全性或亚马逊网络服务或一般网络服务的参考书目，我也将不胜感激.

I would also apreciate if someone shared some bibliography about security or amazon web services or web services in general.

在这种情况下SSL如何提供帮助?

How can SSL help in this situation?

谢谢！

推荐答案

以下是文档必须说.基本上，它可以归结为时间戳记，并且为了缓解重放攻击，他们建议使用SSL .

Here's what the documentation has to say. Basically it boils down to the timestamp, and to mitigate against replay attacks, they suggest using SSL.

身份验证请求

通过验证包含的信息来验证对AWS的请求在请求中.验证是使用下表中的信息.

Requests to AWS are authenticated by verifying information contained within the request. This verification is performed using the information in the following table.

AWSAccessKeyId :发件人的AWS账户由访问密钥ID标识.访问密钥ID用于查找秘密访问密钥.

AWSAccessKeyId The sender’s AWS account is identified by the Access Key ID. The Access Key ID is used to look up the Secret Access Key.

签名:每个对Web服务的要求经过身份验证的请求都必须包含有效的请求签名，否则该请求将被拒绝.请求签名是使用AWS分配给开发人员帐户的秘密访问密钥计算得出的密钥，这是仅AWS和开发人员已知的共享密钥.

Signature Each request to a web service that requires authenticated requests must contain a valid request signature, or the request is rejected. A request signature is calculated using the Secret Access Key assigned to the developer's account by AWS, which is a shared secret known only to AWS and the developer.

时间戳:创建请求的日期和时间，以UTC中的字符串表示.此参数的值的格式必须与XML Schema dateTime数据类型的格式匹配.

Timestamp The date and time the request was created, represented as a string in UTC. The format of the value of this parameter must match the format of the XML Schema dateTime data type.

第二个链接提供以下内容:

The second link has this to offer:

防御重放攻击的最佳机制是确保您所有的请求都是通过SSL连接发出的.如果不能使用SSL，那么您可以使用防止重放的机制攻击是签名版本2中的Expires参数.这需要您的客户端要同步到原子时间(使用NTP或类似方法同步协议).如果您不使用Expires参数，并且仅依靠timestamp参数，您的请求将受到请求有效期，视服务而异，但可以为长达15分钟.

The best mechanism for defense against a replay attack is to ensure all your requests are made over an SSL connection. If you cannot use SSL, then the mechanism available to you for prevention of replay attacks is the Expires parameter in signature version 2. This requires your client to be synchronized to atomic time (using NTP, or a similar synchronization protocol). If you do not use the Expires parameter, and rely only on the timestamp parameter, your requests are subject to a request expiration period, which varies by service, but can be as long as 15 minutes.

这篇关于Amazon Rest Service身份验证和安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！