如果 Nonce 只能使用一次,那么 OAuth 中的时间戳有什么意义? [英] What's the point of a timestamp in OAuth if a Nonce can only be used one time?
问题描述
我起初误解了 OAuth 的时间戳实现,认为这意味着不在当前时间过去 30 秒内的时间戳将被拒绝,结果证明这是错误的,原因有几个,包括我们可以不保证每个系统时钟无论时区如何都足够同步到分钟和秒.然后我又读了一遍以更清楚:
I had at first misinterpreted the timestamp implementation of OAuth into thinking that it meant a timestamp that was not within 30 seconds past the current time would be denied, it turned out this was wrong for a few reasons including the fact that we could not guarantee that each system clock was in sync enough down to the minutes and seconds regardless of time zone. Then I read it again to get more clarity:
"除非服务提供商另有规定,时间戳为以自 1970 年 1 月 1 日 00:00:00 GMT 以来的秒数表示.时间戳值必须是一个正整数并且必须等于或大于之前请求中使用的时间戳."
"Unless otherwise specified by the Service Provider, the timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT. The timestamp value MUST be a positive integer and MUST be equal or greater than the timestamp used in previous requests."
来源:http://oauth.net/core/1.0/#nonce
意味着时间戳仅与来自同一来源的先前请求进行比较,而不与我的服务器系统时钟进行比较.
Meaning the timestamps are only compared in relation to previous requests from the same source, not in comparison to my server system clock.
然后我在这里阅读了更详细的说明:http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iii-security-architecture/
Then I read a more detailed description here: http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iii-security-architecture/
(TL;DR? - 跳到下面的粗体部分)
(TL;DR? - skip to the bold parts below)
为了防止被破坏的请求被再次使用(重放),OAuth 使用随机数和时间戳.术语 nonce 的意思是使用的数字once' 并且是一个唯一的并且通常是随机的字符串,旨在唯一标识每个签名的请求.通过拥有唯一标识符对于每个请求,服务提供者能够阻止请求被多次使用.这意味着消费者生成一个发送给服务提供商的每个请求的唯一字符串,以及服务提供者跟踪用于阻止它们的所有随机数避免被第二次使用. 由于 nonce 值包含在签名,攻击者无法在不知道签名的情况下更改它共享秘密.
To prevent compromised requests from being used again (replayed), OAuth uses a nonce and timestamp. The term nonce means ‘number used once’ and is a unique and usually random string that is meant to uniquely identify each signed request. By having a unique identifier for each request, the Service Provider is able to prevent requests from being used more than once. This means the Consumer generates a unique string for each request sent to the Service Provider, and the Service Provider keeps track of all the nonces used to prevent them from being used a second time. Since the nonce value is included in the signature, it cannot be changed by an attacker without knowing the shared secret.
对于服务提供商而言,使用随机数的成本可能非常高,因为他们需要接收到的所有 nonce 值的持久存储,永远.使实现更容易,OAuth 为每个请求添加一个时间戳值这允许服务提供者只保留一个 nonce 值有限的时间.当请求带有较旧的时间戳时超过保留的时间范围,它被拒绝作为服务提供者不再有那个时间段的随机数.可以安全地假设在允许的时间限制之后发送的请求是重放攻击.身份验证提供了实现时间戳的通用机制,但离开每个服务提供者的实际实施(一个领域很多相信应该由规范重新审视).从一个安全立场,真正的随机数是时间戳值的组合和 nonce 字符串.只有在一起才能提供永恒的独特价值永远不会被攻击者再次使用.
Using nonces can be very costly for Service Providers as they demand persistent storage of all nonce values received, ever. To make implementations easier, OAuth adds a timestamp value to each request which allows the Service Provider to only keep nonce values for a limited time. When a request comes in with a timestamp that is older than the retained time frame, it is rejected as the Service Provider no longer has nonces from that time period. It is safe to assume that a request sent after the allowed time limit is a replay attack. OAuth provides a general mechanism for implementing timestamps but leaves the actual implementation up to each Service Provider (an area many believe should be revisited by the specification). From a security standpoint, the real nonce is the combination of the timestamp value and nonce string. Only together they provide a perpetual unique value that can never be used again by an attacker.
我感到困惑的原因是如果 Nonce 只使用一次,为什么服务提供商会根据时间戳拒绝?服务提供商不再有那个时间段的随机数"让我感到困惑,听起来好像随机数可以重复使用,只要它在 上次使用的 30 秒内.
The reason I am confused is if the Nonce is only used once, why would the Service Provider ever reject based on timestamp? "Service Provider no longer has nonces from that time period" is confusing to me and sounds as if a nonce can be re-used as long as it is within 30 seconds of the last time it was used.
所以有人可以帮我解决这个问题吗?如果随机数是一次性使用并且我没有将时间戳与我自己的系统时钟进行比较(因为这显然不可靠),那么时间戳有什么意义.时间戳仅彼此相关是有道理的,但对于唯一的随机数要求,这似乎无关紧要.
So can anyone clear this up for me? What is the point of the timestamp if the nonce is a one time use and I am not comparing the timestamp against my own system clock (because that obviously would not be reliable). It makes sense that the timestamps will only be relative to each other, but with the unique nonce requirement it seems irrelevant.
推荐答案
时间戳用于允许服务器优化它们的随机数存储.基本上,将读取的随机数视为时间戳和随机字符串的组合.但是通过拥有单独的时间戳组件,服务器可以使用短窗口(例如 15 分钟)实施基于时间的限制并限制其所需的存储量.如果没有时间戳,服务器将需要无限的存储空间来保存每个使用过的随机数.
The timestamp is used for allowing the server to optimize their storage of nonces. Basically, consider the read nonce to be the combination of the timestamp and random string. But by having a separate timestamp component, the server can implement a time-based restriction using a short window (say, 15 minutes) and limit the amount of storage it needs. Without timestamps, the server will need infinite storage to keep every nonce ever used.
假设您决定允许您的时钟与客户端的时钟之间存在最多 15 分钟的时差,并且正在跟踪数据库表中的 nonce 值.该表的唯一键将是客户端标识符"、访问令牌"、随机数"和时间戳"的组合.当一个新请求进来时,检查时间戳是否在您时钟的 15 分钟内,然后在您的表中查找该组合.如果找到,则拒绝调用,否则将其添加到您的表中并返回请求的资源.每次向表中添加新的随机数时,删除该客户端标识符"和访问令牌"组合的任何记录,其时间戳超过 15 分钟.
Let's say you decide to allow up to 15 minutes time difference between your clock and the client's and are keeping track of the nonce values in a database table. The unique key for the table is going to be a combination of 'client identifier', 'access token', 'nonce', and 'timestamp'. When a new request comes in, check that the timestamp is within 15 minutes of your clock then lookup that combination in your table. If found, reject the call, otherwise add that to your table and return the requested resource. Every time you add a new nonce to the table, delete any record for that 'client identifier' and 'access token' combination with timestamp older than 15 minutes.
这篇关于如果 Nonce 只能使用一次,那么 OAuth 中的时间戳有什么意义?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
