如何创建和使用 nonce [英] How to create and use nonces

问题描述

我正在运营一个网站，并且有一个评分系统，可以根据您玩游戏的次数给您积分.

I am running a website, and there is a scoring system that gives you points for the number of times you play a game.

它使用散列来证明用于评分的http请求的完整性，因此用户无法更改任何内容，但是正如我担心可能发生的那样，有人发现他们不需要更改它，他们只需要获得高分即可，并复制 http 请求、标头和所有内容.

It uses hashing to prove the integrity of http request for scoring so users cannot change anything, however as I feared might happen, someone figured out that they didn't need to change it, they just needed to get a high score, and duplicate the http request, headers and all.

以前我被禁止防御这种攻击，因为它被认为不太可能发生.然而，既然它已经发生了，我可以.http请求来源于flash游戏，经过php验证，php输入数据库.

Previously I'd been prohibited from protecting against this attack because it was considered unlikely. However, now that it has happened, I can. The http request originates from a flash game, and then is validated by php and php enters it into the database.

我很确定 nonce 会解决这个问题，但我不确定如何实现它们.设置 nonce 系统的常见且安全的方法是什么?

I'm pretty sure nonces will solve the issue, but I'm not exactly sure how to implement them. What is a common, and secure way of setting up a nonce system?

推荐答案

实际上很容易做到...有一些库可以为您做到:

It's actually quite easy to do... There are some libraries out there to do it for you:

1. PHP Nonce 库
2. OpenID Nonce 库

或者，如果您想自己编写，也很简单.使用 维基百科页面作为起点，在伪代码中:

Or if you want to write your own, it's pretty simple. Using the WikiPedia page as a jumping off point, In pseudo-code:

在服务器端，需要两个客户端可调用函数

On the server side, you need two client callable functions

getNonce() {
    $id = Identify Request //(either by username, session, or something)
    $nonce = hash('sha512', makeRandomString());
    storeNonce($id, $nonce);
    return $nonce to client;
}

verifyNonce($data, $cnonce, $hash) {
    $id = Identify Request
    $nonce = getNonce($id);  // Fetch the nonce from the last request
    removeNonce($id, $nonce); //Remove the nonce from being used again!
    $testHash = hash('sha512',$nonce . $cnonce . $data);
    return $testHash == $hash;
}

在客户端:

sendData($data) {
    $nonce = getNonceFromServer();
    $cnonce = hash('sha512', makeRandomString());
    $hash = hash('sha512', $nonce . $cnonce . $data);
    $args = array('data' => $data, 'cnonce' => $cnonce, 'hash' => $hash);
    sendDataToClient($args);
}

makeRandomString 函数实际上只需要返回一个随机数或字符串.随机性越好，安全性就越好……另外请注意，由于它直接输入到哈希函数中，因此请求与请求之间的实现细节无关紧要.客户端的版本和服务器的版本不需要匹配.实际上，唯一需要匹配 100% 的位是 hash('sha512', $nonce . $cnonce . $data); 中使用的散列函数......这是一个合理的例子安全的 makeRandomString 函数...

The function makeRandomString really just needs to return a random number or string. The better the randomness, the better the security... Also note that since it's fed right into a hash function, the implementation details don't matter from request to request. The client's version and the server's version don't need to match. In fact, the only bit that needs to match 100% is the hash function used in hash('sha512', $nonce . $cnonce . $data);... Here's an example of a reasonably secure makeRandomString function...

function makeRandomString($bits = 256) {
    $bytes = ceil($bits / 8);
    $return = '';
    for ($i = 0; $i < $bytes; $i++) {
        $return .= chr(mt_rand(0, 255));
    }
    return $return;
}

这篇关于如何创建和使用 nonce的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！