我们真的需要“oauth_nonce"吗? [英] Do we really need "oauth_nonce"?

问题描述

是的，我知道 oauth 的工作原理，但我不知道为什么我们需要 oauth_nonce.

Right, I know how oauth works, but I don't know why we need oauth_nonce.

规范说时间戳/随机数必须是唯一的才能解决重放攻击，但是如果 consumer_key 足够独特呢?

The specification says timestamp / nonce has to be unique to solve replay attacks, but what about if consumer_key is unique enough?

如果consumer_key不是唯一的，它如何找到对应的oauth_nonce?

If consumer_key is not unique, how does it find corresponding oauth_nonce?

推荐答案

键是唯一的，但不会经常更改.另一方面，每个请求的随机数必须是唯一的.

Keys are unique but don't change often. A nonce on the other hand needs to be unique per request.

考虑以下场景.先决条件是: 攻击者可以监视您的通信，但不知道任何秘密.如果没有随机数，他可以进行重放攻击:他可以简单地复制并重新发送您之前的任何请求，因为他知道您已经发送的请求是有效的.

Consider the following scenario. Prerequisites are: An attacker can spy on your communication but does not know any secrets. If there is no nonce, he can do a replay attack: He can simply duplicate and resend any of your previous requests, because he knows the requests you already send are valid.

随机数可以防止这种情况，因为服务器会检查所有最近使用的随机数 (有时间限制) 并且不接受任何 nonce 两次.

A nonce prevents this, as the server checks all recently used nonces (there is a time limit) and does not accept any nonce twice.

这篇关于我们真的需要“oauth_nonce"吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！