向url参数添加一个简单的MAC? [英] Adding a simple MAC to url parameters?

问题描述

我想向我的一些 URL 参数添加一种简单的 MAC.这仅旨在作为防止应用程序错误和缓存相关问题/错误的附加防线，而不是作为应用程序中实际登录安全性的任何形式的替代.给定的业务对象 ID 已受后端保护，仅限于单个用户.

I want to add a simple kind of MAC to some of my URL parameters. This is only intended as an additional line of defense against application bugs and caching related problems/bugs, and not intended as any form of replacement of the actual login security in the application. A given business-object-id is already protected by backends to be limited to a single user.

所以基本上我想在我的 url 参数中添加一个简短的身份验证代码，大小为 2-4 个字符.我想我想要一个可逆函数，类似于 f(business-data-id + login-on-user-id + ??) = hash，但我愿意接受建议.

So basically I'd like to add a short authentication code to my url parameters, on the size of 2-4 characters. I think I'd like to have a reversible function along the lines of f(business-data-id + logged-on-user-id + ??) = hash, but I am open to suggestions.

主要目的是停止猜测 id，并确保每个登录用户的 url 都相当不同.我也不想要像 MD5 这样又大又笨重的东西.

The primary intention is to stop id guessing, and to make sure that url's are fairly distinct per logged on user. I also don't want something big and clunky like an MD5.

推荐答案

由于您不是在寻找加密质量，也许 24 位 CRC 会满足您的需求.虽然 MD5 的绝对速度是快"的，但 CRC 相对来说是快得惊人".然后可以将 3 字节的 CRC 文本编码为 Base-64 编码的四个字符.

Since you aren't looking for cryptographic quality, maybe a 24-bit CRC would fit your needs. While MD5 is "fast" in absolute terms, CRC is, relatively, "blindingly fast". Then the 3-byte CRC could be text-encoded into four characters with Base-64 encoding.

这是用于 OpenPGP ASCII-armor 校验和的检查的 Java 实现:

Here's a Java implementation of the check used for OpenPGP ASCII-armor checksums:

private static byte[] crc(byte[] data)
{
  int crc = 0xB704CE;
  for (int octets = 0; octets < data.length; ++octets) {
    crc ^= (data[octets] & 0xFF) << 16;
    for (int i = 0; i < 8; ++i) {
      crc <<= 1;
      if ((crc & 0x1000000) != 0)
        crc ^= 0x1864CFB;
    }
  }
  byte[] b = new byte[3];
  for (int shift = 16, idx = 0; shift >= 0; shift -= 8) {
    b[idx++] = (byte) (crc >>> shift);
  }
  return b;
}

我会散列一个密钥(只有服务器知道)，连同你想保护的任何东西——可能是对象标识符和用户标识符的组合.

I would hash a secret key (which is known only by the server), together with whatever you want to protect—probably the combination of object identifier and user identifier.

这篇关于向url参数添加一个简单的MAC?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！