保护沟通[真实性，隐私性和诚信]与移动应用程序？ [英] Securing communication [Authenticity, Privacy & Integrity] with mobile app?

问题描述

Android / Iphone应用将从服务器访问应用数据。
[Django-Python]

An Android/Iphone app will be accessing application data from the server. [Django-Python]

如何保护与移动应用的通信？

How can I secure the communication with the mobile app ?

期望：对于敏感信息（如密码）足够安全，除了暴力之外，不得使用直接的解密方式。

Expectation : Secure enough for sensitive information like passwords, there shall be no direct way of decryption except brute-forcing.

我的要求：

• 认证[只有应用被授权]


• 诚信[不要修改]


• 隐私[如果嗅闻，通信不可读]

我的努力：

• SSL仅对服务器进行身份验证，而不是客户端。


• 我不能使用对称加密[仅提供隐私]


• 数字签名是不可能的[缺乏隐私]


• PGP full-填写所有3个要求。

• SSL authenticates only the Server, not the client.
• I can-not use a symmetric encryption [Provides only Privacy]
• Digital signature is not possible [Lacks Privacy]
• PGP full-fills all 3 requirements.

问题：

• PGP需要在客户端应用程序上存储密钥。




• 如果密钥已经出来，那么PGP或对称加密也是同样脆弱的。


• 逆向工程PGP密钥或对等密钥同样困难。


• 在这种情况下，PGP对移动处理器来说是一个无意义的负担。


• OAuth再次无用，因为它也有客户端密钥。

• PGP requires to store keys on client app.
• There seems to be no assuring way of securing keys on client app.
• If the key is out, then PGP or Symmetric encryption are equally vulnerable.
• Reverse-Engineering PGP keys or symmetic keys is equally hard.
• In that case PGP is a non-sense burden on the mobile processor.
• OAuth is again useless, since it also have a client key.

那么，我可以/应该如何向前推进？
行业如何处理这个问题？

So, how can/should I move forward on this ? How does the industry deals with this ?

我应该执行休闲方式：

• 使用简单的SSL并横渡我的手指，因为如果密钥被盗，验证是不可能的？ （只能使用服务器验证）

• Use simple SSL and cross my fingers ?, since authentication is not possible if the keys are stolen? (Only server authentication is possible with this)

更新：

结论是使用AES，因为如果我可以保持密钥安全，那么我和SSL一样好。
Plus我可以随时更改密钥，以提高安全性。
如果您认为有更好的方式，请在发布之前阅读整篇文章，如果您有任何意见，请参阅 b $ b

Conclusion was to use AES, since if I can keep the key secure then I am as good as SSL. Plus I can keep changing the key over-time for better security. Contribute if you think there is a better way, do read the entire post before posting.

推荐答案

处理不良信息。 SSL可以绝对地验证客户端，因为协议（或至少是）通常用于保护服务器的身份验证非常重要但是与客户端进行协商的电子商务网站，所以对大部分SSL来说，这不是一件事情。不重要和/或不可行。您想要做的是使用相互认证的SSL，以便您的服务器只接受来自您的应用程序的传入连接，您的应用程序将只与您的服务器通信。

You're working on bad information. SSL can absolutely authenticate the client, it's just not something that is done for the bulk of SSL as the protocol is (or, atleast was) typically used to protect e-commerce sites where authentication of the server was important but doing so with the client was not important and/or not feasible. What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.

这里是高层次的做法。创建自签名服务器SSL证书并在Web服务器上部署。如果您使用的是Android，则可以使用Android SDK附带的密钥工具来实现此目的;如果您正在使用像iOS这样的其他应用程序平台，那么他们也可以使用类似的工具。然后创建一个自签名客户端，并将其作为资源（keytool也将生成此应用程序）的应用程序中的自定义密钥库中部署到应用程序中。将服务器配置为需要客户端SSL身份验证，并仅接受您生成的客户端证书。配置客户端以使用该客户端证书来标识自身，并且仅接受您在服务器上安装的一个服务器端证书。

Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. If you're using Android, you can use the keytool included with the Android SDK for this purpose; if you're using another app platform like iOS, similar tools exist for them as well. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.

如果有人/除了您的应用程序尝试连接到您的服务器之外，不会创建SSL连接，因为服务器将拒绝不包含应用程序中包含的客户端证书的传入SSL连接。

If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.

这是一个比这里要求更长的答案。我建议分阶段进行，因为在网络上有资源在如何处理Android和iOS（无论是在服务器端还是客户端）上的自签SSL证书。我的书中还有一个完整的步骤， Android平台的应用安全性，由O'Reilly出版。

A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in both Android and iOS, both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.

这篇关于保护沟通[真实性，隐私性和诚信]与移动应用程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！