安全模式:使用用户凭证登录第三方站点 [英] Security model: log in to third-party site with user's credentials

问题描述

我开发了一项服务 (Service)，它可以自动执行用户可以在另一个第三方网站 (3rd Party Site) 上执行的某些操作.

I develop a service (Service) which automates certain actions that users can do on another third-party site (3rd Party Site).

我的服务为用户提供以下功能:

My service provides the following functionality for the users:

• 用户在服务中注册

• the user registers at the Service

1. 用户向服务提供他/她的第 3 方站点用户名/密码
2. 服务使用该凭据代表用户登录到第 3 方站点
3. 服务将第 3 方网站发布的 cookie 存储在其数据库中
4. 从现在开始，服务开始使用之前存储的cookie(第三方站点的用户名/密码未保存在任何地方)代表用户定期(cron)登录第三方站点并执行一些代表用户在第 3 方网站上采取的行动

注意事项:

• 在注册服务之前，会向用户提供描述服务与第 3 方网站之间交互的完整信息
• 自动化用户登录到第 3 方站点具有一定的价值，并且用户有兴趣在第 3 方站点上自动化他们的登录和某些操作，即他们有兴趣在第 3 次为他们做一些工作的服务派对现场
• 第 3 方网站上没有 OAuth 功能
• 第 3 方站点上没有任何用户身份验证令牌功能

我在 Stack Exchange 进行了研究，但没有找到任何解决方案:

I have made a research here at Stack Exchange and I have not found any solutions:

• https://security.stackexchange.com/questions/1335/storing-third-party-auth-info-securely
• 如何在我的应用中保存第三方应用的密码以供api使用?
• 如何安全存储用于登录第三方网站的密码
• Rails 存储第三方凭据.. 任何人都知道最佳实践?
• http://12factor.net/config
• https://security.stackexchange.com/questions/31535/need-to-ephemerally-store-third-party-password
• 我*必须*存储第三方我的数据库中的凭据.最好的方法?
• 如何安全在 django 中存储第 3 方服务的密码?
• 当 API 调用需要以纯文本形式发送密码时，将密码存储在数据库中的最佳方式是什么?
• django&脸书:安全与为代表用户执行第三方登录的 facebook webapp 设计

此外，通过阅读提供的问题和答案，我倾向于认为没有办法保护用户的登录数据(密码或 3rd Party Site cookie).IE.如果攻击者获得对服务服务器的访问权限，则攻击者也会获得对第三方站点上用户帐户的访问权限.

Moreover, from reading through the provided questions and answers I tend to think there is no way to secure the user's login data (passwords or 3rd Party Site cookies). I.e. if an attacker gets an access to the Service's server, the attacker gets the access to the users' accounts on the 3rd Party Site as well.

如果我尝试将第 3 方站点的 cookie 存储在加密的服务数据库中，那么它们将仅对解密它们的脚本有用.因此，要访问第 3 方站点用户帐户，攻击者不仅需要访问服务的机器，还需要修改脚本(第 4 步).

If I try to store the 3rd Party Site's cookies in the Service's database encrypted, then they will be only useful to the script that decrypts them. Therefore, to get access to the 3rd Party Site user account, the attacker would need to not only get an access to the Service's machine, but to modify the script (step 4) as well.

在服务上为第 3 方站点存储 cookie 与 OAuth 非常相似，但在这种情况下使用 cookie 代替令牌(不存储密码).

Storing a cookie for the 3rd Party Site on the Service is really similar to OAuth, but in this case a cookie used instead of a token (no passwords are stored).

如何设计一种安全模型/架构以在服务中安全地存储用户的登录数据，以允许该服务定期代表用户登录到第三方站点，而无需与用户进行手动交互?

附注我用的是Django，但我猜想安全模型/架构不依赖于某个技术栈.

推荐答案

显而易见:这里重要的事情当然是不要让您网站上的攻击者访问所有 cookie.您无法完全避免这种情况，因为您的服务需要定期访问 cookie(未加密形式).一个完全破坏了你的服务器的攻击者理论上可以做你的服务可以做的任何事情，所以如果你的服务可以访问 cookie，那么拥有所有权限的攻击者也将能够访问他们.

To state the obvious: The important thing here is of course to not let an attacker on your site get access to all the cookies. You cannot completely protect against this, since your service will need access to the cookies (in unencrypted form) regularly. An attacker that has completely compromised your server will in theory be able to do anything your service can do, so if it is possible for your service to get access to the cookies, then an attacker with all rights will also be able to get access to them.

如果你还想这样做，你应该

If you still want to do this, you should

1) 使攻击者更难访问 cookie

举个例子来说明如何思考这个问题:如果您的系统遭到入侵，攻击者很可能会访问您的文件系统.如果 cookie 以纯文本形式存储在文件中，那么攻击者就会很轻松.将它们存储在数据库中会更好(并且可能无论如何您都想做)，但除非您以某种方式保护对数据库的访问，否则不会更好.如果数据库的密码存储在应用程序配置文件中，专门的攻击者将不会遇到困难.

Just to give you an example of how you can think about this: If your system is compromised, it is likely that the attacker will get access to your file system. If the cookies are stored in plain text on files, the attacker will have an easy time. Storing them in a database is better (and probably what you want to do anyway), but not much better unless you protect access to the database in some way. A dedicated attacker will not have a hard time if i.e. the password to the database is stored in the applications configuration file.

如果 cookie 始终被加密，除非您需要它们，否则会大大改善这种情况.最好的解决方案是，如果加密密钥没有存储在应用程序日志中，而是由操作员在每次重新启动服务器时提供(输入).为了打破这一点，攻击者必须读取应用程序的内存(并非不可能，但仍然更加困难).

A solution that would improve the situation quite a lot would be if the cookies always was encrypted except just when you need them. The best solution would be if the encryption key was not stored in an application log, but was provided (typed in) by an operator every time the server is restarted. To break this the attacker would have to read the memory of the application (not impossible at all, but still more difficult).

另一种措施是将 cookie 存储在专用服务器上的单独数据库中，并将对该服务器的所有访问权限限制在所需范围内.

Another measure would be to store the cookies in a separate database on a dedicated server and limit all access to this server to what is needed.

为此制定完整的策略需要更深入地了解您的确切物理和逻辑设置.

A complete strategy for this requires more intimate knowledge of your exact physical and logical setup.

2) 创建机制，以便您可以检测 cookie 是否被盗用

这几乎同样重要.如果发生这种情况，您想知道并能够立即采取行动.当然也有可以使用的标准 IDS 系统.您还可以创建适用于您的特定应用程序的更有针对性的系统.系统可以即检测是否有人正在运行使用 cookie 扫描整个数据库表的 sql.由于您知道自己的应用程序的正常行为方式，因此您还可以创建一个监控系统来检测是否发生了异常情况.

This is almost equally important. If this happens, you want to know and be able to take action immediately. There are of course standard IDS systems that can be used. You may also create more targeted systems that applies to your spesific application. The system could i.e. detect if someone is running an sql that scans the whole database table with cookies. Since you know how your own application normally behaves, you can also create a monitoring system that can detect if something that is not normal happens.

3) 准备一个系统，以便在您检测到所有 cookie 被盗时快速使它们失效

第三方服务可能确实有一个退出选项，从而使 cookie 无效.您应该为您可以轻松激活的所有存储的 cookie 准备一个执行此操作的作业.想想在您禁用所有 cookie 之前告诉您的用户有人可能在 10 分钟内访问了他们的服务和告诉他们有人仍然可以访问第三方服务并且您不知道如何阻止他们的区别.

The third party services does probably have an option to log out and by that invalidate the cookies. You should prepare a job that does this for all your stored cookies that you can easily activate. Think about the difference in telling your users that someone may have had access to their service in 10 minutes before you disabled all cookies and telling them that someone still have access to the third party service and you don't know how to stop them.

除此之外，当然重要的是，您的用户了解他们在授予您访问权限时会做什么，并且第三方服务提供商对此表示同意.第三方服务提供商是否会允许这种访问并不明显.如果他们这样做了，他们还可以帮助您创建一个特殊的会话 cookie，即绑定到您的 IP 地址.

In addition to this, it is of course important that your users understand what they do when they give you access and that the provider of the third party services approves of this. It is not obvious that a third party service provider will allow this kind of access. If they do, they may also help you with creating a special session cookie that is i.e. bound to your ip address.

这篇关于安全模式:使用用户凭证登录第三方站点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！