验证客户端的真实性 [英] Verify authenticity of an client
问题描述
我对服务器-客户端模型中的安全性有以下担忧...
I have the following concern about security in server-client models...
想象一下:
我有一个C#WinForms客户端,希望与服务器通信(在Mono上的Debian上而不是使用ASP.NET上运行的控制台应用程序C#(Net Framework)中的PHP GET-POST请求,套接字或WebSocket).
I have an C# WinForms client that wants to communicate with a server (PHP GET-POST Requests, Socket or WebSocket in a Console App C# (Net Framework) running on a Debian under Mono, instead of using ASP.NET).
出现的第一个问题是服务器(用PHP或C#编写)是否必须对客户端生成的匿名请求具有某种控制,为此,我们将必须使用由以下类型生成的令牌:服务器处理每个请求.
The first problem that arises is that whether the server (written in PHP or C #) must have some kind of control for the anonymous requests that the client generates, for this, we will have to use some type of token generated by the server to every request.
问题与令牌无关(我的计划是在网络级别使用HTTPS(PHP)或WebSockets(C#)中的SSL/TLS +证书进行客户端-服务器通信,以避免欺骗或MitM).
The problem isn't related to the token (my plan is to use HTTPS (PHP) or SSL / TLS + Certificates in WebSockets (C#) for client-server communications at the network level, to avoid Spoofing or MitM).
当服务器必须给客户端"(我们需要检查其有效性,主要是关注的)令牌以允许客户端发出请求时,就会出现问题.任何客户端从服务器提供令牌都是非常容易的(至少在我计划实现它的过程中,如何复制(反向生成)向服务器发出请求以尝试获取有效令牌的客户端),因此需要帮助).
The problem arises when the server has to give to a "client" (we need to check its validity, that the main concern) a token to allow the client do requests. It would be very easy to any client to give a token from the server (How? Replicating (inverse ingeenering) a client that makes requests to the server to try to obtain valid tokens, at least, as I plan to implement it, hence the need for help).
在我的想法中,是为客户端的汇编文件生成md5或sha哈希.因此,如果有人尝试复制这些步骤,将很困难.因为他/她将需要修改程序集的源代码或制作恶意程序集并通过冲突获得相同的哈希值(这很困难).
In what I was thinking, is to generate a md5 or sha hash for the assembly file of the client. So, if anyone tries to replicate those steps, it will be difficult. Because he/she will need to modify the source code of the assembly or make a malicious assembly and obtain the same hash by collision (this is difficult).
我不知道这个系统的效率如何,所以我需要您在这方面给我一些指导.
I do not know how efficient is this system, so I need you to guide me a bit in this aspect.
我一直在研究OAuth,我认为这种实现不是我想要的,因为这种实现是针对用户级别的(以避免另一个用户违反主用户数据),而不是客户端(应用程序).
I've been looking at OAuth, and I think that this type of implementation is not the one I'm looking for, because this kind of implementations is for the user level (to avoid that another user violates the main user data), not for the client (application).
因此,如果有人可以在这个问题上提供指导,那将会有很大的帮助.
So if someone can guide on this issue it would be of great help.
推荐答案
您无法对客户端进行身份验证,这是不可能的.客户端中的任何内容(攻击者)都是用户已知的,任何秘密,以及您那里拥有的任何内容.唯一的问题是困难,但是您所做的任何事情都不会很困难.
You can't authenticate the client, it is not possible. Anything in the client is known to the user (attacker), any secret, anything you have there. The only question is difficulty, but anything you do, it will not be very difficult.
同样在您的哈希方案中,您将如何处理哈希并将其发送到服务器?当不同的客户端可以发送所需的任何内容(即从网络嗅探到的正确的哈希值)时,为什么其他客户端必须匹配该哈希值?
Also in your hashing scheme, what would you do with the hash, send it to the server? Why would a different client have to match the hash, when it can send whatever it wants (ie. the correct hash, as sniffed from the network)?
同样,由于该软件需要在客户端计算机上运行,因此在该客户端计算机上运行或在网络上发送的任何内容都将泄露给用户,他可以在其他客户端中复制该软件.无法安全地防止这种情况.如果您控制端点之一(即客户端),那么ssl/tls也无济于事.
So again, because the software needs to run on the client machine, anything that runs there or is sent on the network is disclosed to the user, and he can replicate it in a different client. It is not possible to securely prevent this. Also ssl/tls doesn't help here, if you control one of the endpoints (ie.the client).
想象一下,如果有可能的话,软件盗版并不是一件大事,但实际上非常重要.
Imagine if it was possible somehow, software piracy would not be a thing - but it very much is.
这篇关于验证客户端的真实性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
