我*必须*商店的第三方证书在我的数据库。最好的办法? [英] i *must* store third party credentials in my database. best way?
问题描述
我的应用程序必须读取从第三方的SSL URL。我最好如何存储在自己的数据库,它可以保护不受损害第三方证书第三方证书?同时考虑绝对的安全性和实用性。单向散列的凭据是没有用的,因为我必须恢复凭据明文为SSL调用。我使用的谷歌应用程序引擎Python和我的应用程序与谷歌的凭据验证。
My app must read an SSL url from a third party. How do I best store the third party credentials in my own database, which protects the third party credentials from being compromised? Consider both absolute security and practicality. One-way hashing the credentials is not useful as I must restore credentials to plaintext for the SSL call. I'm using python on google app engine, and my app authenticates with google credentials.
- 加密凭据AES和保存加密密钥别的地方(只是移动的问题),或<一个href=\"http://stackoverflow.com/questions/1819023/encrypting-3rd-party-credentials/1822022#1822022\">derive它的凭证,并保持算法的秘密(只是移动的问题)
- 加密凭据使用同步流密码,获得来自凭证(不)熵和的保持算法的秘密(只是移动的问题)
- ,提供了一个SSL URL收到第三方证书,这个网址与谷歌凭据访问(同我的应用程序),并且可以使用的AuthSub或东西的授权转移到其他Web应用程序。这听起来更安全,因为它难以破解一个平凡简单的Web应用程序,如果我的复杂主要的应用程序被损害第三方凭据不会暴露出来。
例如使用
在专用于存储第三方证书单独的Web应用程序
- encrypt credentials using e.g. AES and save the encryption key somewhere else (just moves the problem), or derive it from the credentials and keep the algorithm secret (just moves the problem)
- encrypt credentials using a synchronous stream cipher, derive the (not)entropy from the credentials and keep the algorithm secret (just moves the problem)
- on a separate web app dedicated to storing third party credentials, provide a SSL url to receive the third party credentials, this url is accessed with google credentials (same as my app) and can use authsub or something to transfer authorization to the other web app. this sounds more secure because its harder to hack a trivially simple webapp, and if my complex main app gets compromised the third party credentials aren't exposed.
你怎么看所有的方法?
推荐答案
这是一个艰巨的任务,没办法将节省您的麻烦,以确保不存在薄弱环节。首先,我不知道如果托管在谷歌是最好的方式,因为你会被没收的控制(我真的不知道,如果App Engine是设计时考虑所需的安全级别,你会发现, OUT),可能不能做渗透测试(你应该)。
It's a difficult task, and no approach will save you the trouble to make sure that there is no weak link. For starters, I wouldn't know if hosting on Google is the best way to go, because you will be forfeiting control (I really don't know if App Engine is designed with the required level of security in mind, you should find that out) and probably cannot do penetration testing (which you should.)
有一个独立的小应用程序可能是一个好主意,但是,这并不救你不必一种方式或其他凭据自己在这个小应用程序进行加密。它只是给你买的简单,这反过来又使事情变得更容易分析。
Having a separate small application is probably a good idea, but that doesn't save you from having to encrypt one way or the other the credentials themselves in this smaller app. It just buys you simplicity, which in turn makes things easier to analyze.
我个人会尝试设计应用程序,以便关键的变化在每次使用后随机,有一种的一次性密码本方法。您没有指定足够详细的应用程序,看看是否可行。
I personally would try to design the app so the key changes randomly after each use, having a kind of one time pad approach. You don't specify the app in enough detail to see if this is feasible.
这篇关于我*必须*商店的第三方证书在我的数据库。最好的办法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
