向url参数添加一个简单的MAC? [英] Adding a simple MAC to url parameters?
问题描述
我想向我的一些 URL 参数添加一种简单的 MAC.这仅旨在作为防止应用程序错误和缓存相关问题/错误的附加防线,而不是作为应用程序中实际登录安全性的任何形式的替代.给定的业务对象 ID 已受后端保护,仅限于单个用户.
I want to add a simple kind of MAC to some of my URL parameters. This is only intended as an additional line of defense against application bugs and caching related problems/bugs, and not intended as any form of replacement of the actual login security in the application. A given business-object-id is already protected by backends to be limited to a single user.
所以基本上我想在我的 url 参数中添加一个简短的身份验证代码,大小为 2-4 个字符.我想我想要一个可逆函数,类似于 f(business-data-id + login-on-user-id + ??) = hash,但我愿意接受建议.
So basically I'd like to add a short authentication code to my url parameters, on the size of 2-4 characters. I think I'd like to have a reversible function along the lines of f(business-data-id + logged-on-user-id + ??) = hash, but I am open to suggestions.
主要目的是停止猜测 id,并确保每个登录用户的 url 都相当不同.我也不想要像 MD5 这样又大又笨重的东西.
The primary intention is to stop id guessing, and to make sure that url's are fairly distinct per logged on user. I also don't want something big and clunky like an MD5.
推荐答案
由于您不是在寻找加密质量,也许 24 位 CRC 会满足您的需求.虽然 MD5 的绝对速度是快"的,但 CRC 相对来说是快得惊人".然后可以将 3 字节的 CRC 文本编码为 Base-64 编码的四个字符.
Since you aren't looking for cryptographic quality, maybe a 24-bit CRC would fit your needs. While MD5 is "fast" in absolute terms, CRC is, relatively, "blindingly fast". Then the 3-byte CRC could be text-encoded into four characters with Base-64 encoding.
这是用于 OpenPGP ASCII-armor 校验和的检查的 Java 实现:
Here's a Java implementation of the check used for OpenPGP ASCII-armor checksums:
private static byte[] crc(byte[] data)
{
int crc = 0xB704CE;
for (int octets = 0; octets < data.length; ++octets) {
crc ^= (data[octets] & 0xFF) << 16;
for (int i = 0; i < 8; ++i) {
crc <<= 1;
if ((crc & 0x1000000) != 0)
crc ^= 0x1864CFB;
}
}
byte[] b = new byte[3];
for (int shift = 16, idx = 0; shift >= 0; shift -= 8) {
b[idx++] = (byte) (crc >>> shift);
}
return b;
}
我会散列一个密钥(只有服务器知道),连同你想保护的任何东西——可能是对象标识符和用户标识符的组合.
I would hash a secret key (which is known only by the server), together with whatever you want to protect—probably the combination of object identifier and user identifier.
这篇关于向url参数添加一个简单的MAC?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!