安全模式:使用用户凭据登录第三方站点 [英] Security model: log in to third-party site with user's credentials

问题描述

我开发了一项服务(Service)，可以自动执行用户可以在另一个第三方站点(第 3 方站点)上执行的某些操作.

I develop a service (Service) which automates certain actions that users can do on another third-party site (3rd Party Site).

我的服务为用户提供以下功能:

My service provides the following functionality for the users:

• 用户在服务处注册

• the user registers at the Service

1. 用户向服务提供他/她的第 3 方站点用户名/密码
2. 服务使用该凭据代表用户登录第 3 方网站
3. 本服务将第 3 方站点发布的 cookie 存储在其数据库中
4. 从现在开始，服务开始使用之前存储的 cookie(第 3 方站点的用户名/密码未保存在任何地方)代表用户定期 (cron) 登录到第 3 方站点并执行一些代表用户在第 3 方网站上采取的行动

注意事项:

• 在注册服务之前，用户会看到描述服务与第 3 方网站之间交互的完整信息
• 使用户自动登录到第 3 方站点具有一定的价值，并且用户有兴趣在第 3 方站点上自动登录和执行某些操作，即他们对服务在第 3 方为他们做一些工作感兴趣派对现场
• 第三方站点上没有 OAuth 功能
• 第三方站点上没有任何用户身份验证令牌功能

我在 Stack Exchange 进行了研究，但没有找到任何解决方案:

I have made a research here at Stack Exchange and I have not found any solutions:

• https://security.stackexchange.com/questions/1335/storing-第三方认证信息安全
• 如何在我的应用程序中保存第三方应用程序的密码以与 api 一起使用?
• 如何安全存储用于登录第三方网站的密码
• Rails 存储第三方凭据.任何人都知道最佳实践?
• http://12factor.net/config
• https://security.stackexchange.com/questions/31535/need-to-ephemerally-store-third-party-password
• 我*必须*存储第三方我的数据库中的凭据.最好的方法?
• 如何安全在 Django 中存储第三方服务的密码?
• 当 API 调用需要以纯文本形式发送密码时，在数据库中存储密码的最佳方法是什么?
• django&脸书:安全&为代表用户执行第三方登录的 Facebook 网络应用程序设计

此外，通过阅读提供的问题和答案，我倾向于认为没有办法保护用户的登录数据(密码或第 3 方站点 cookie).IE.如果攻击者可以访问服务的服务器，则攻击者也可以访问用户在 3rd 方站点上的帐户.

Moreover, from reading through the provided questions and answers I tend to think there is no way to secure the user's login data (passwords or 3rd Party Site cookies). I.e. if an attacker gets an access to the Service's server, the attacker gets the access to the users' accounts on the 3rd Party Site as well.

如果我尝试将第 3 方站点的 cookie 加密存储在服务的数据库中，那么它们将仅对解密它们的脚本有用.因此，要访问第 3 方站点用户帐户，攻击者不仅需要访问服务的机器，还需要修改脚本(第 4 步).

If I try to store the 3rd Party Site's cookies in the Service's database encrypted, then they will be only useful to the script that decrypts them. Therefore, to get access to the 3rd Party Site user account, the attacker would need to not only get an access to the Service's machine, but to modify the script (step 4) as well.

在服务上为第 3 方站点存储 cookie 与 OAuth 非常相似，但在这种情况下使用 cookie 代替令牌(不存储密码).

Storing a cookie for the 3rd Party Site on the Service is really similar to OAuth, but in this case a cookie used instead of a token (no passwords are stored).

设计安全模型/架构以将用户的登录数据安全地存储在服务中以允许服务代表用户定期登录第三方站点而无需与用户进行手动交互的方法是什么?

P.S.我使用 Django，但我猜想安全模型/架构不依赖于某个技术堆栈.

推荐答案

声明一个显而易见的事情:这里重要的事情当然是不要让您网站上的攻击者访问所有 cookie.您无法完全防止这种情况发生，因为您的服务需要定期访问 cookie(以未加密的形式).一个完全破坏你的服务器的攻击者理论上可以做你的服务可以做的任何事情，所以如果你的服务有可能访问 cookie，那么拥有所有权限的攻击者也将能够访问

To state the obvious: The important thing here is of course to not let an attacker on your site get access to all the cookies. You cannot completely protect against this, since your service will need access to the cookies (in unencrypted form) regularly. An attacker that has completely compromised your server will in theory be able to do anything your service can do, so if it is possible for your service to get access to the cookies, then an attacker with all rights will also be able to get access to them.

如果你还想这样做，你应该

If you still want to do this, you should

1) 使攻击者更难访问 cookie

举个例子来说明如何思考这个问题:如果您的系统遭到入侵，攻击者很可能会访问您的文件系统.如果 cookie 以纯文本形式存储在文件中，攻击者将很容易.将它们存储在数据库中会更好(并且可能是您无论如何都想要做的)，但除非您以某种方式保护对数据库的访问，否则不会好得多.如果数据库的密码存储在应用程序配置文件中，那么专门的攻击者将不会有困难.

Just to give you an example of how you can think about this: If your system is compromised, it is likely that the attacker will get access to your file system. If the cookies are stored in plain text on files, the attacker will have an easy time. Storing them in a database is better (and probably what you want to do anyway), but not much better unless you protect access to the database in some way. A dedicated attacker will not have a hard time if i.e. the password to the database is stored in the applications configuration file.

一种可以大大改善这种情况的解决方案是，如果 cookie 始终加密，除非您需要它们.最好的解决方案是，如果加密密钥没有存储在应用程序日志中，而是在每次服务器重新启动时由操作员提供(输入).为了打破这一点，攻击者必须读取应用程序的内存(并非不可能，但仍然更加困难).

A solution that would improve the situation quite a lot would be if the cookies always was encrypted except just when you need them. The best solution would be if the encryption key was not stored in an application log, but was provided (typed in) by an operator every time the server is restarted. To break this the attacker would have to read the memory of the application (not impossible at all, but still more difficult).

另一种措施是将 cookie 存储在专用服务器上的单独数据库中，并将对该服务器的所有访问权限限制在需要的范围内.

Another measure would be to store the cookies in a separate database on a dedicated server and limit all access to this server to what is needed.

一个完整的策略需要更深入地了解您的确切物理和逻辑设置.

A complete strategy for this requires more intimate knowledge of your exact physical and logical setup.

2) 创建机制，以便您可以检测到 cookie 是否遭到破坏

这几乎同样重要.如果发生这种情况，您希望知道并能够立即采取行动.当然也可以使用标准的 IDS 系统.您还可以创建适用于您的特定应用程序的更有针对性的系统.系统可以即检测是否有人正在运行使用 cookie 扫描整个数据库表的 sql.由于您知道自己的应用程序通常如何运行，因此您还可以创建一个监控系统来检测是否发生了不正常的事情.

This is almost equally important. If this happens, you want to know and be able to take action immediately. There are of course standard IDS systems that can be used. You may also create more targeted systems that applies to your spesific application. The system could i.e. detect if someone is running an sql that scans the whole database table with cookies. Since you know how your own application normally behaves, you can also create a monitoring system that can detect if something that is not normal happens.

3) 准备一个系统，以便在您检测到它们被盗时快速使所有 cookie 失效

第三方服务可能确实有退出的选项，从而使 cookie 无效.您应该准备一项工作，为您可以轻松激活的所有存储的 cookie 执行此操作.想想在您禁用所有 cookie 之前告诉您的用户某人可能在 10 分钟内访问了他们的服务并告诉他们仍然可以访问第三方服务但您不知道如何阻止他们的区别.

The third party services does probably have an option to log out and by that invalidate the cookies. You should prepare a job that does this for all your stored cookies that you can easily activate. Think about the difference in telling your users that someone may have had access to their service in 10 minutes before you disabled all cookies and telling them that someone still have access to the third party service and you don't know how to stop them.

除此之外，您的用户在授予您访问权限时了解他们的行为并且第三方服务提供商同意这一点当然很重要.第三方服务提供商是否会允许这种访问并不明显.如果他们这样做，他们还可以帮助您创建一个特殊的会话 cookie，即绑定到您的 IP 地址.

In addition to this, it is of course important that your users understand what they do when they give you access and that the provider of the third party services approves of this. It is not obvious that a third party service provider will allow this kind of access. If they do, they may also help you with creating a special session cookie that is i.e. bound to your ip address.

这篇关于安全模式:使用用户凭据登录第三方站点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！