REST认证方案的安全性 [英] Security of REST authentication schemes
问题描述
背景:
我设计一个REST Web服务的身份验证方案。这并不是真正的必须是安全的(它更是一个个人项目的),但我想让它尽可能的安全作为一个练习/学习经验。我不希望使用SSL,因为我不想麻烦和,主要是,设置它的代价。
I'm designing the authentication scheme for a REST web service. This doesn't "really" need to be secure (it's more of a personal project) but I want to make it as secure as possible as an exercise/learning experience. I don't want to use SSL since I don't want the hassle and, mostly, the expense of setting it up.
这些SO问题是让我开始尤其有用:
These SO questions were especially useful to get me started:
- REST风格的认证
- <一个href="http://stackoverflow.com/questions/7551/best-practices-for-securing-a-rest-api-web-service">Best为确保一个REST API / web服务 实践
- <一个href="http://stackoverflow.com/questions/409338/examples-of-the-best-soap-rest-rpc-web-apis-and-why-do-you-like-them-and-whats">Examples最佳SOAP / REST / RPC的Web API的?为什么你喜欢他们吗?这有什么错呢?
- RESTful Authentication
- Best Practices for securing a REST API / web service
- Examples of the best SOAP/REST/RPC web APIs? And why do you like them? And what’s wrong with them?
我想使用的<一个简化版本href="http://docs.amazonwebservices.com/AmazonS3/2006-03-01/index.html?RESTAuthentication.html">Amazon S3的认证(我喜欢 OAuth的但似乎太复杂,我的需要)。我添加一个随机生成乱数时,由服务器提供的,该请求,以prevent重放攻击。
I'm thinking of using a simplified version of Amazon S3's authentication (I like OAuth but it seems too complicated for my needs). I'm adding a randomly generated nonce, supplied by the server, to the request, to prevent replay attacks.
要得到这个问题:
无论S3和OAuth的依赖以及一些选定的标题签署请求URL。 他们都没有签请求主体作为POST或PUT请求。这不是容易受到中间人攻击,这使URL和头和替换请求主体与攻击者想要?
Both S3 and OAuth rely on signing the request URL along with a few selected headers. Neither of them sign the request body for POST or PUT requests. Isn't this vulnerable to a man-in-the-middle attack, which keeps the url and headers and replaces the request body with any data the attacker wants?
好像我还可以通过包括请求体,获取签署的字符串中的哈希防止这种情况。这是安全的?
It seems like I can guard against this by including a hash of the request body in the string that gets signed. Is this secure?
推荐答案
一个previous答案只有在数据传输方面提到的SSL和实际上并没有涵盖认证。
A previous answer only mentioned SSL in the context of data transfer and didn't actually cover authentication.
你真的问安全认证REST API客户端。除非你使用TLS客户端认证,SSL的单独的是不是一个可行的身份验证机制的REST API。 SSL无客户端authc只有认证的服务器的,这是无关紧要的大多数的REST API,因为你真的想验证的客户的。
You're really asking about securely authenticating REST API clients. Unless you're using TLS client authentication, SSL alone is NOT a viable authentication mechanism for a REST API. SSL without client authc only authenticates the server, which is irrelevant for most REST APIs because you really want to authenticate the client.
如果您不使用TLS客户端身份验证,则需要使用像基于摘要身份验证方案(如亚马逊Web服务的定制方案)或OAuth的1.0A,甚至HTTP基本身份验证(但在SSL只)
If you don't use TLS client authentication, you'll need to use something like a digest-based authentication scheme (like Amazon Web Service's custom scheme) or OAuth 1.0a or even HTTP Basic authentication (but over SSL only).
这些方案验证,该请求被发送有人预期。 TLS(SSL)(无客户端身份验证)保证通过网络发送的数据仍然未被篡改。他们是独立的 - 但互补的 - 担心
These schemes authenticate that the request was sent by someone expected. TLS (SSL) (without client authentication) ensures that the data sent over the wire remains untampered. They are separate - but complementary - concerns.
对于那些有兴趣,我在一个太问题关于<一个扩展href="http://stackoverflow.com/questions/14043397/http-basic-authentication-instead-of-tls-client-certificaiton">HTTP身份验证方案以及它们如何工作。
For those interested, I've expanded on an SO question about HTTP Authentication Schemes and how they work.
这篇关于REST认证方案的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
