为什么不是RSA签名通常RESTful API中使用呢? [英] Why isn't RSA signing usually used in RESTful apis?
问题描述
我开发一个简单的应用程序不使用(至少在第一次)任何第三方的授权。我要创建通过的iOS / Android的/无论客户机使用一个RESTful API,所以我读了一堆有关执行REST风格的API。然而,实现这些需要发送某种安全的令牌的通常的方式用于签名的要求;这留下的API容易受到中间人攻击,并推荐的方式来对付它是使用HTTPS。
I develop a simple app that doesn't use (at least, at first) any third-party authorization. I want to create a RESTful api to be used by iOS/Android/whatever clients, so I've read a bunch of information about implementation of RESTful APIs. However, the usual ways of implementing them involve sending some sort of secure "token" that is used to sign the requests; this leaves the API vulnerable to man-in-the-middle attack, and recommended way to counter it is to use HTTPS.
不过,看完这一切都让我纳闷,为什么没有用于此私有/公共密钥签名(如RSA)。这样一来,客户端会从密码生成私钥和公钥,将公钥上登记,并保持客户端上的私钥,即使有人得到了所有的服务器和客户端之间的通讯保持,他仍然不会告发' T为能够模拟客户端。
However, reading all this left me wondering, why aren't private/public keys signing (like RSA) used for this. That way, the client would generate private and public keys from the password, send the public key on registration and keep the private key on the client, and even if someone got hold of all the communications between the server and client, he still wouldn't be able to impersonate the client.
不过,我几乎一无所知密码学和安全性,那么,为什么这种方法不使用,我不能想到的,一定有原因吧?
But I know almost nothing about cryptography and security, so there must be reasons why this method isn't used that I couldn't think of, right?
推荐答案
目前没有计划允许存在非对称密钥对派生从密码。
At the moment there is no scheme exists allowing asymmetric key pair derivation from the password.
的另一个问题是与公共密钥登记。存在与操作的认证的问题,因为任何人都可以具有非对称密钥对,因此必须提供一些附加信息。
公钥证书可以是这样的信息,但是,这需要客户端是一些公钥基础结构的用户。另一种选择,这是在实践中使用,是该客户端的公共密钥/证书被提供给预先服务器
Another problem is with public key registration. There is a problem with doing authentication, because anyone can have asymmetric key pair, so some additional information must be provided. Public key certificate could be such information, however, this requires client to be a user of some public key infrastructure. Another option, which is used in practice, is that client public key/certificate is provisioned to the server beforehand.
在TLS(HTTPS)已经在使用非对称密钥进行验证和交换会话密钥结束。客户端验证服务器的公钥证书(服务器身份验证)和服务器可选可用于客户端的公钥证书(客户端身份验证)这样做。
At the end TLS (HTTPS) is already using asymmetric keys to perform authentication and exchange session keys. Client verifies server's public key certificate (server authentication) and server optionally may do the same for client's public key certificate (client authentication).
这篇关于为什么不是RSA签名通常RESTful API中使用呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
