Web服务API密钥和Ajax - 保护的关键 [英] Web services API Keys and Ajax - Securing the Key

问题描述

这可能是一个通用的安全问题，但我想我会问什么，我开发的领域。

This is probably a generic security question, but I thought I'd ask in the realm of what I'm developing.

该方案是：Web服务（WCF的Web API），它使用一个API密钥验证，并告诉我，用户是谁，和jQuery的组合和应用程序的前端

The scenario is: A web service (WCF Web Api) that uses an API Key to validate and tell me who the user is, and a mix of jQuery and application on the front ends.

在一方面，该业务可以为HTTPS，因此无法进行检查，但如果我用每个用户相同的密钥（例如一个GUID），​​而我用它在这两个再有就是它可以采取的机会，有人可能会模拟用户。

On the one hand, the traffic can be https so it cannot be inspected, but if I use the same key per user (say a guid), and I am using it in both then there's the chance it could be taken and someone could impersonate the user.

如果我实现了一个类似于OAuth的，那么用户和每个应用程序生成密钥，并且可以工作 - 但仍然是jQuery的一面，我需要在JavaScript的应用程序API密钥

If I implement something akin to OAuth, then a user and a per-app key is generated, and that could work - but still for the jQuery side I would need the app API key in the javascript.

这只会是一个问题，如果有人在实际的计算机上，并做了查看源代码。

This would only be a problem if someone was on the actual computer and did a view-source.

我应该怎么办？

1. 在MD5或以某种方式进行加密的密钥？
2. 把钥匙在会话变量，然后用ajax取回它的时候？
3. 在克服它，这不是什么大不了的事/问题。

我敢肯定，它可能是一个普遍的问题 - 所以任何指针将受到欢迎。

I'm sure it's probably a common problem - so any pointers would be welcome.

为了使其更清楚 - 这是我的API，我写了我对查询，而不是谷歌等，所以我可以每个会话令牌做，等等，我只是想制定，以确保客户端令牌/钥匙，我会用最好的方式。

To make this clearer - this is my API I have written that I am querying against, not a google, etc. So I can do per session tokens, etc, I'm just trying to work out the best way to secure the client side tokens/keys that I would use.

我是有点过于谨慎这里，但只是用这个来学习。

I'm being a bit overly cautious here, but just using this to learn.

推荐答案

（我建议标注这篇文章的安全。）

(I suggest tagging this post "security".)

首先，你要清楚你要保护什么反对。你能相信客户端呢？狡猾的用户可以贴的Greasemonkey脚本，您的网页上，并呼吁完全code，你的用户界面调用发送请求。在JavaScript封闭隐藏的一切只是意味着你需要一个调试器;它不会使攻击是不可能的。萤火虫可以跟踪HTTPS请求。也可以考虑一个妥协的客户端：是否有安装了键盘记录？是整个系统偷偷运行虚拟化，使攻击者可以在任何时间在他们的休闲检查任何部分的内存？当你作为公开为Web应用程序的安全性是非常棘手的。

First, you should be clear about what you're protecting against. Can you trust the client at all? A crafty user could stick a Greasemonkey script on your page and call exactly the code that your UI calls to send requests. Hiding everything in a Javascript closure only means you need a debugger; it doesn't make an attack impossible. Firebug can trace HTTPS requests. Also consider a compromised client: is there a keylogger installed? Is the entire system secretly running virtualized so that an attacker can inspect any part of memory at any time at their leisure? Security when you're as exposed as a webapp is is really tricky.

不过，这里有几件事情，你要考虑：

Nonetheless, here are a few things for you to consider:

1. 不考虑实际使用的键，但是，例如，你给后立即身份验证令牌，而HMAC哈希值。

1. Consider not actually using keys but rather HMAC hashes of, e.g., a token you give immediately upon authentication.

DOM存储可以是一个有点难以戳比cookie。

DOM storage can be a bit harder to poke at than cookies.

看一看谷歌的执行情况的OAuth 2 一个例如安全模型。基本上你使用令牌仅适用于在有限的时间（也许是为一个单一的IP地址）。即使标记被截取或克隆方式，它是唯一有效的时间长度短。当然，你需要小心你做什么，当令牌用完;攻击者可能只是做同样的事情，你的code做，并获得新的有效令牌？

Have a look at Google's implementation of OAuth 2 for an example security model. Basically you use tokens that are only valid for a limited time (and perhaps for a single IP address). That way even if the token is intercepted or cloned, it's only valid for a short length of time. Of course you need to be careful about what you do when the token runs out; could an attacker just do the same thing your code does and get a new valid token?

不要忽视服务器端安全性：即使你的客户要提交申请之前已经检查，再检查服务器上的用户是否确实有权去做他们在问什么。事实上，这个建议可能会避免最上面的。

Don't neglect server-side security: even if your client should have checked before submitting the request, check again on the server if the user actually has permission to do what they're asking. In fact, this advice may obviate most of the above.

这篇关于Web服务API密钥和Ajax - 保护的关键的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！