如何接受上的Web API认证没有SSL？ [英] How to accept authentication on a web API without SSL?

问题描述

我要建一个web API非常相似，计算器提供。

I'm building a web API very similar to what StackOverflow provide.

但在我而言安全是重要的，因为数据是私有的。

However in my case security is importance since data is private.

• 我必须使用HTTP。


• 我不能使用SSL。

什么解决方案（S）你建议我？

What solution(s) do you recommend me?

修改：认证加密=

推荐答案

首先，我建议你阅读这篇优秀的文章：的http://piwik.org/blog/2008/01/how-to-design-an-api-best-practises-concepts-technical-aspects/

First of all, I suggest you read this excellent article: http://piwik.org/blog/2008/01/how-to-design-an-api-best-practises-concepts-technical-aspects/

的解决方案是很简单的。它是由 paiement网关我使用（高度安全使用Flickr的像API（基于令牌）和认证方法的结合），但与私人密码/盐来代替。

The solution is very simple. It is a combination of Flickr like API (token based) and authentication method used by the paiement gateway I use (highly secure), but with a private password/salt instead.

要使用该API，无需请求发送密码（在我的情况，这显然因为没有SSL）prevent未经授权的用户，他们必须添加的签名的将包括私人和公共价值的级联的 MD5哈希

To prevent unauthorized users from using the API without having to send the password in the request (in my case, in clear since there is no SSL), they must add a signature that will consist of a MD5 hashing of a concatenation of both private and public values:

• 知道嘛值，如用户名，甚至API路线


• 的用户密码短语


• 由用户生成的唯一code（只能使用一次）

如果我们要求的 / API /路由/ 并通行短语的 kdf8 * S @ ，签名如下所示：

If we request /api/route/ and the pass phrase is kdf8*s@, the signature be the following:

string uniqueCode = Guid.NewGuid().ToString();
string signature = MD5.Compute("/api/route/kdf8*s@" + ticks);

HTTP请求的URL将为：

The URL of the HTTP request will then be:

string requestUrl = 
     string.Format("http://example.org/api/route/?code={0}&sign={1}", uniqueCode, signature);

服务器端，你将不得不prevent具有相同唯一code任何新的请求。 preventing任何攻击者可以简单地重复使用相同的URL，以自己的优势。这是我想避免的情况。

Server side, you will have to prevent any new requests with the same unique code. Preventing any attacker to simply reuse the same URL to his advantage. Which was the situation I wanted to avoid.

因为我不想以存储使用的API消费者认为code，我决定用蜱来替换它。蜱重新presents 12:00:00以来午夜后经过的100纳秒间隔的数量，1月1日，0001。

Since I didn't want to store code that were used by API consumer, I decided to replace it by a ticks. Ticks represents the number of 100-nanosecond intervals that have elapsed since 12:00:00 midnight, January 1, 0001.

在服务器端，我只接受具有±3分钟宽容蜱（时间戳）（如果客户端和放大器;服务器不在时间同步）。这意味着潜在的攻击者将能够使用的窗口的重用网址，但不会永久。安全性降低了一点，但还是不够好，我的情况。

On server side, I only accept ticks (timestamp) with a tolerance of +-3 minutes (in case client & server are not time synchronized). Meaning that potential attacker will be able to use that window to reuse the URL but not permanently. Security is reduced a little, but still good enough for my case.

这篇关于如何接受上的Web API认证没有SSL？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！