如何防止重放攻击? [英] How do I prevent replay attacks?
问题描述
这与另一个有关我问的问题.总之,我有一个 URL 的特殊情况,当表单被发送到它时,我不能依靠 cookie 进行身份验证或维护用户的会话,但我不知何故需要知道他们是谁,我需要知道他们已登录!
This is related to another question I asked. In summary, I have a special case of a URL where, when a form is POSTed to it, I can't rely on cookies for authentication or to maintain the user's session, but I somehow need to know who they are, and I need to know they're logged in!
我想我想出了一个解决我的问题的办法,但它需要充实.这就是我的想法.我创建了一个名为用户名"的隐藏表单字段,并将用户的用户名放入其中,加密.然后,当表单 POST 时,即使我没有从浏览器收到任何 cookie,我也知道他们已登录,因为我可以解密隐藏的表单字段并获取用户名.
I think I came up with a solution to my problem, but it needs fleshing out. Here's what I'm thinking. I create a hidden form field called "username", and place within it the user's username, encrypted. Then, when the form POSTs, even though I don't receive any cookies from the browser, I know they're logged in because I can decrypt the hidden form field and get the username.
我能看到的主要安全漏洞是重放攻击.如何防止某人获取该加密字符串并以该用户身份发布?我知道我可以使用 SSL 使窃取该字符串变得更加困难,也许我可以定期轮换加密密钥以限制该字符串的有效时间,但我真的很想找到一个防弹工具解决方案.有人有任何想法吗?ASP.Net ViewState 是否阻止重播?如果是这样,他们是怎么做的?
The major security flaw I can see is replay attacks. How do I prevent someone from getting ahold of that encrypted string, and POSTing as that user? I know I can use SSL to make it harder to steal that string, and maybe I can rotate the encryption key on a regular basis to limit the amount of time that the string is good for, but I'd really like to find a bulletproof solution. Anybody have any ideas? Does the ASP.Net ViewState prevent replay? If so, how do they do it?
编辑:我希望有一个不需要在数据库中存储任何内容的解决方案.应用程序状态没有问题,只是它不会在 IIS 重新启动后继续存在,或者在 Web 场或花园场景中根本无法工作.我现在接受 Chris 的回答,因为我不相信在没有数据库的情况下甚至有可能保护它.但如果有人提出不涉及数据库的答案,我会接受!
Edit: I'm hoping for a solution that doesn't require anything stored in a database. Application state would be okay, except that it won't survive an IIS restart or work at all in a web farm or garden scenario. I'm accepting Chris's answer, for now, because I'm not convinced it's even possible to secure this without a database. But if someone comes up with an answer that does not involve the database, I'll accept it!
推荐答案
如果您将时间戳与用户名和密码一起散列,您可以在几秒钟内关闭重放攻击窗口.我不知道这是否满足您的需求,但至少是部分解决方案.
If you hash in a time-stamp along with the user name and password, you can close the window for replay attacks to within a couple of seconds. I don't know if this meets your needs, but it is at least a partial solution.
这篇关于如何防止重放攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
