我们真的需要“oauth_nonce"吗? [英] Do we really need "oauth_nonce"?
问题描述
是的,我知道 oauth 的工作原理,但我不知道为什么我们需要 oauth_nonce
.
Right, I know how oauth works, but I don't know why we need oauth_nonce
.
规范说时间戳/随机数必须是唯一的才能解决重放攻击,但是如果 consumer_key
足够独特呢?
The specification says timestamp / nonce has to be unique to solve replay attacks, but what about if consumer_key
is unique enough?
如果consumer_key
不是唯一的,它如何找到对应的oauth_nonce
?
If consumer_key
is not unique, how does it find corresponding oauth_nonce
?
推荐答案
键是唯一的,但不会经常更改.另一方面,每个请求的随机数必须是唯一的.
Keys are unique but don't change often. A nonce on the other hand needs to be unique per request.
考虑以下场景.先决条件是: 攻击者可以监视您的通信,但不知道任何秘密.如果没有随机数,他可以进行重放攻击:他可以简单地复制并重新发送您之前的任何请求,因为他知道您已经发送的请求是有效的.
Consider the following scenario. Prerequisites are: An attacker can spy on your communication but does not know any secrets. If there is no nonce, he can do a replay attack: He can simply duplicate and resend any of your previous requests, because he knows the requests you already send are valid.
随机数可以防止这种情况,因为服务器会检查所有最近使用的随机数 (有时间限制) 并且不接受任何 nonce 两次.
A nonce prevents this, as the server checks all recently used nonces (there is a time limit) and does not accept any nonce twice.
这篇关于我们真的需要“oauth_nonce"吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!