如何防止重播攻击? [英] How do I prevent replay attacks?
问题描述
这与另一个相关问我问总而言之,我有一个URL的特殊情况,当表单被POST时,我不能依靠cookie进行身份验证或维护用户的会话,但我不知何故需要知道他们是谁,我需要知道他们已经登录了!
This is related to another question I asked. In summary, I have a special case of a URL where, when a form is POSTed to it, I can't rely on cookies for authentication or to maintain the user's session, but I somehow need to know who they are, and I need to know they're logged in!
我想我想出了一个解决我的问题的解决方案,但它需要充实。这是我在想什么我创建一个名为username的隐藏表单字段,并在其中放置用户的用户名,加密。然后,POST的形式即使我没有从浏览器收到任何cookie,我知道他们已经登录,因为我可以解密隐藏的表单域并获取用户名。
I think I came up with a solution to my problem, but it needs fleshing out. Here's what I'm thinking. I create a hidden form field called "username", and place within it the user's username, encrypted. Then, when the form POSTs, even though I don't receive any cookies from the browser, I know they're logged in because I can decrypt the hidden form field and get the username.
我可以看到的主要安全漏洞是重播攻击。如何防止某人获得该加密字符串,并以该用户身份登录?我知道我可以使用SSL来更难以窃取字符串,也可以定期旋转加密密钥来限制字符串的有效期,但是我真的很想找到一个防弹的解。有人有什么想法吗? ASP.Net ViewState是否阻止重播?如果是这样,他们如何做?
The major security flaw I can see is replay attacks. How do I prevent someone from getting ahold of that encrypted string, and POSTing as that user? I know I can use SSL to make it harder to steal that string, and maybe I can rotate the encryption key on a regular basis to limit the amount of time that the string is good for, but I'd really like to find a bulletproof solution. Anybody have any ideas? Does the ASP.Net ViewState prevent replay? If so, how do they do it?
编辑:我希望有一个不需要任何数据存储在数据库中的解决方案。应用程序状态将是可行的,除非它不能在IIS重新启动或在Web场或花园场景中完全工作。现在我接受了克里斯的回答,因为我不相信甚至可以在没有数据库的情况下确保这一点。但是如果有人提出不涉及数据库的答案,我会接受它!
Edit: I'm hoping for a solution that doesn't require anything stored in a database. Application state would be okay, except that it won't survive an IIS restart or work at all in a web farm or garden scenario. I'm accepting Chris's answer, for now, because I'm not convinced it's even possible to secure this without a database. But if someone comes up with an answer that does not involve the database, I'll accept it!
推荐答案
如果你在时间戳以及用户名和密码,您可以在几秒钟内关闭重播攻击的窗口。我不知道这是否满足您的需求,但至少是部分解决方案。
If you hash in a time-stamp along with the user name and password, you can close the window for replay attacks to within a couple of seconds. I don't know if this meets your needs, but it is at least a partial solution.
这篇关于如何防止重播攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
