使用基于时间的旋转散列或字符串来实现安全性 [英] Using a time-based, rotating hash or string for security

问题描述

在CMS应用程序中，我偶尔需要打开另一个域的iframe。目前，我将该iframe的网址设置为非常模糊的内容。像 http://domain.com/iframe/jhghjg34787386/ 。这在理论上可行，但iframe源URL将保存在用户的历史记录中，并可从外部访问。

所以，我想知道如何使用基于时间的方法来处理在请求端处理并在iframe源端进行检查的不断变化的哈希或字符串。不过，我希望它是基于时间的。

我可以这样做来获得我的哈希：

 < ？php 
 
 $ seed ='123456789'; //父母和源都有
 $ string = md5（time（）。$ seed）的密码; 
？> 
  

但是这两台服务器必须完全同步。任何方式使时间约束更模糊？

我也接受其他方法。有什么方法可以验证iframe的父窗口是否属于某个特定的域？ 您可以添加一个键到你的散列并发送带查询的时间戳，例如：

  $ key =YOUR_SECRET_KEY; 
 $ time = time（）; 
 $ hash = hash_hmac（'sha256'，$ time，$ key）; 
 $ url =https://example.com/iframe?hash=$hash&time=$time; 
  

另一方面，您应该首先检查时间戳是否在限制范围内（例如，不要超过五分钟），而不是重复使用密钥和提交的时间戳。如果您获得相同的哈希值，则该请求有效。

注意：

• 不要使用MD5：算法完全破坏，不再提供任何安全性（虽然在与HMAC一起使用时应该仍然可以）...
  
• 您应该使用 hash_compare 用于比较哈希以防止计时攻击我们使用HMAC来保证数据完整性和身份验证。请参阅 https://crypto.stackexchange.com/questions/1070 / why-is-hkx-not-a-secure-mac-construction 为什么我们不能只是把时间和空间连接起来？键

In a CMS app I occasionally need to open an iframe of another domain. At the moment I am setting the URL for that iframe to something very obscure. Like http://domain.com/iframe/jhghjg34787386/. This works but theoretically that iframe source url will get saved in the user's history and could be accessed from the outside world.

So, I am wondering about using a time-based approach to an ever-changing hash or string that is processed on the request side and is checked on the iframe source side. However I would like it to be time based.

I could do this to get my hash:

<?php 

   $seed = '123456789'; // a password that both the parent and source have
   $string = md5(time().$seed); 
?>

But then the two servers have to be exactly synced. Any way to make the time constraint more fuzzy?

I am also open to other approaches. Is there any way to validate that the parent window for an iframe is of a certain domain?

解决方案

You could add a key to your hash and send the timestamp with the query, e.g.:

$key = "YOUR_SECRET_KEY";
$time = time();
$hash = hash_hmac('sha256', $time, $key);
$url = "https://example.com/iframe?hash=$hash&time=$time";

On the other side you should first check if the timestamp is in the limits (e.g. not older than five minutes) and than rehash with the key and the submitted timestamp. If you get the same hash the request is valid.

Notes:

• don't use MD5: the algorithm is completely broken and doesn't provide any security anymore (although it's supposed to still be ok when used with an HMAC…)
• you should use hash_compare for comparing hashes to prevent timing attacks
• we use an HMAC to guarantee data integrity and authentication. See https://crypto.stackexchange.com/questions/1070/why-is-hkx-not-a-secure-mac-construction for why we mustn't just concatenate time & key

这篇关于使用基于时间的旋转散列或字符串来实现安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！