在应用程序中实现(安全)Api 密钥 [英] Implementing (secure) Api Keys in an app

问题描述

我编写了一个 Web 应用程序，我希望允许其他开发人员从中获取信息.

I wrote a Web Application and I would like to allow other developers to get the information from it.

我正在使用的服务器不是那么糟糕，无法处理那么多请求，所以我们的想法是为每个想要查询我们信息的人生成和分配 api 密钥.使用 Api 密钥，我可以限制每天的请求，或许还可以收集一些统计数据，看看哪些信息对其他开发者真正有用.

The server Im working on is not that awsome and cant handle that many request, so the idea is to generate and assign api keys to everyone that wants to query our information. With Api keys I can limit the daily requests and perhaps collect some statistics to see what information is really useful for the other developers.

问题是，我担心它的安全方面.由于 Api 密钥将被发送到我们的服务器(通过 GET/POST 等)，有人可以使用 wireshark 嗅探请求并轻松获取开发人员的 API 密钥，对吧?

The thing is, Im concerned about the security aspect of it. Since the Api key is going to be sent to our server (via GET/POST etc), someone could sniff the request with wireshark and get the developers API key without much effort, right?

我想过生成一个密钥和一个 API 密钥.然后我可以指示其他开发人员连接它们并将其散列发送到我们的 API.然后我会验证散列是否有效并允许请求......但是同样的问题会持续存在.黑客仍然可以嗅探该哈希值并代表其他开发者的应用发出请求.

I thought about generating a secret key and an API key. I could then instruct the other developers to concatenate them and send a hash of it to our API. I would then validate that the hash is valid and allow the request... But then the same problem would persist. A hacker could still sniff that hash and make requests on behalf of the other developer's app.

所以我的问题是

• 我怎样才能避免这个问题?
• 或者更好的是，我的担忧是否有效?这是一个真正的问题吗?
• 是否有更好、更安全的方式来允许访问我的信息，同时又不会让其他开发者觉得太复杂?

大家怎么看?

推荐答案

我认为您正在尝试解决一系列不同的问题.

I think you're trying to solve a bunch of different questions here.

如果您的目标是限制对服务器的请求数量，您应该创建一个限制机制.这很重要，但我将它基于 IP 地址而不是许可证密钥 - 单个许可用户可能会因大量请求而淹没您的系统.您可以在不实施许可机制的情况下按 IP 地址进行限制.

If your objective is to limit the number of requests to your server, you should create a throttling mechanism. This is non-trivial, but I'd base it on IP address rather than a license key - a single licensed user might swamp your system with lots of requests. You can throttle by IP address without implementing a license mechanism.

如果你想创建一个许可方案，你需要了解密码学等 - 这是一个不平凡的问题.例如，您如何阻止合法用户与其所有朋友共享其许可证密钥?您如何阻止黑客窃取您的密钥并与他的所有朋友共享?

If you want to create a licensing scheme, you need to understand cryptography etc. - it's a non-trivial problem. For instance, how do you stop a legitimate user sharing their license key with all their friends? How do you stop a hacker from stealing your key and sharing it with all of his friends?

对此有多种解决方案 - 它们都会给您的用户带来一定程度的痛苦.例如，您可以在 HTTPS 上运行您的服务；这会停止窥探，但会降低性能.您可以为您的服务发行代币"，这些代币会在使用一定次数后过期；获取新令牌需要加密交换(可能会检查您的 IP 地址).您可能需要挑战/响应"类型的逻辑(包括 IP 地址验证).所有这些步骤都会使您的用户的生活变得更加艰难；他们可能不会因为他们必须做的额外工作而感谢你.

There are a number of solutions to this - they all impose some degree of pain on your users. For instance, you can run your service on HTTPS; this stops snooping, but reduces performance. You can issue "tokens" for your service which expire after a certain number of uses; getting new tokens requires a cryptographic exchange (which might check your IP address). You might require a "challenge/response" type of logic (including an IP address validation). All these steps make life harder for your users; they probably won't thank you much for the extra work they have to do.

这篇关于在应用程序中实现(安全)Api 密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！