API Keys 和 Secret Keys 是如何工作的?如果我必须将我的 API 和密钥传递给另一个应用程序是否安全? [英] How do API Keys and Secret Keys work? Would it be secure if I have to pass my API and secret keys to another application?

查看:38
本文介绍了API Keys 和 Secret Keys 是如何工作的?如果我必须将我的 API 和密钥传递给另一个应用程序是否安全?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我刚刚开始考虑 api 密钥和秘密密钥的工作原理.就在 2 天前,我注册了 Amazon S3 并安装了 S3Fox 插件.他们要求我提供我的访问密钥和秘密访问密钥,两者都需要我登录才能访问.

I am just starting to think about how api keys and secret keys work. Just 2 days ago I signed up for Amazon S3 and installed the S3Fox Plugin. They asked me for both my Access Key and Secret Access Key, both of which require me to login to access.

所以我想知道,如果他们向我要我的密钥,他们一定把它存储在某个地方,对吗?这与询问我的信用卡号或密码并将其存储在他们自己的数据库中基本相同吗?

So I'm wondering, if they're asking me for my secret key, they must be storing it somewhere right? Isn't that basically the same thing as asking me for my credit card numbers or password and storing that in their own database?

秘密密钥和 api 密钥应该如何工作?他们需要保密到什么程度?这些应用程序是否使用秘密密钥以某种方式存储它?

How are secret keys and api keys supposed to work? How secret do they need to be? Are these applications that use the secret keys storing it somehow?

推荐答案

基本上阐述了概述的内容 此处.

Basically elaborating on what's outlined here.

这是它的工作原理:假设我们有一个函数,它接受一个从 0 到 9 的数字,加上 3,如果结果大于 10,则减去 10.所以 f(2) = 5、f(8) = 1 等等.现在,我们可以创建另一个函数,称为 f',它倒退,通过添加 7 而不是 3.f'(5) = 2, f'(1) = 8 等

Here's how it works: let's say we have a function that takes a number from zero through nine, adds three and, if the result is greater than ten, subtracts ten. So f(2) = 5, f(8) = 1, etc. Now, we can make another function, call it f', that goes backwards, by adding seven instead of three. f'(5) = 2, f'(1) = 8, etc.

这是一个双向函数及其逆函数的例子.从理论上讲,任何将一件事映射到另一件事的数学函数都可以颠倒.不过,在实践中,您可以制作一个函数,使其输入混乱,以至于很难逆转.

That's an example of a two-way function and its inverse. Theoretically, any mathematical functions that maps one thing to another can be reversed. In practice, though, you can make a function that scrambles its input so well that it's incredibly difficult to reverse.

接受输入并应用单向函数称为散列"输入,亚马逊在其系统上存储的是您的密钥的散列".SHA1 就是这种单向"功能的一个例子,它也加强了攻击.

Taking an input and applying a one-way function is called "hashing" the input, and what Amazon stores on their system is a "hash" of your secret key. SHA1 is an example of this kind of "one-way" function, it's also hardened against attacks.

HMAC 函数建立在已建立的哈希函数之上,以使用已知密钥来验证文本字符串.它是这样工作的:

The HMAC function builds on established hash functions to use a known key to authenticate a string of text. It works like this:

  • 您获取请求的文本和密钥并应用 HMAC 函数.
  • 您将该身份验证标头添加到您的请求中并将其发送到亚马逊.
  • 亚马逊查找他们的密钥副本以及您刚刚发送的文本并应用 HMAC 功能.
  • 如果结果匹配,他们就知道您拥有相同的密钥.

这个和PKI的区别在于这个方法是RESTful,允许最少数量的您的系统和亚马逊服务器之间的交换.

The difference between this and PKI is that this method is RESTful, allowing a minimum number of exchanges between your system and Amazon's servers.

这不是和询问我的信用卡号码或密码并将其存储在他们的自己的数据库?

Isn't that basically the same thing as asking me for my credit card numbers or password and storing that in their own database?

是的,尽管某人对 S3 造成的损害似乎仅限于耗尽您的帐户.

Yes, though the damage someone can do with S3 seems to be limited to draining your account.

他们需要保密到什么程度?是这些使用秘密的应用程序以某种方式存储它的密钥?

How secret do they need to be? Are these applications that use the secret keys storing it somehow?

在某些时候,您将不得不加载密钥,对于大多数基于 Unix 的系统,如果攻击者可以获得 root 访问权限,他们就可以获得密钥.如果您加密密钥,则必须有代码来解密它,并且在某些时候解密代码必须是纯文本才能执行.这与 DRM 存在的问题相同,只是您拥有计算机.

At some point, you're going to have to load the secret key, and with most Unix based systems, if an attacker can get root access they can get the key. If you encrypt the key, you have to have code to decrypt it, and at some point the decryption code has to be plain text so it can be executed. This is the same problem DRM has, except that you own the computer.

在很多情况下,我只是将密钥放在一个权限有限的文件中,并采取通常的预防措施来防止我的系统被 root.有一些技巧可以使它在多用户系统中正常工作,例如避免使用临时文件等.

In many cases, I just put secret keys in a file with limited permissions, and take the usual precautions to prevent my system from being rooted. There are a few tricks to make it work properly with a multiuser system, such as avoiding temporary files and such.

这篇关于API Keys 和 Secret Keys 是如何工作的?如果我必须将我的 API 和密钥传递给另一个应用程序是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆