HTTP请求的真实性和完整性 [英] Authenticity and Integrity of HTTP Requests

问题描述

我有一个API端点，外部网站可以提交POST请求。
确保请求真实并且也没有被篡改的最佳方法是什么？所以他们尊重完整性的原则？

由于数据并不重要，比如信用卡信息，所以我不需要使用HTTPS集成。

我看了一下在HMAC和数字签名中，我相信第二种选择会更好，但我不确定这是否是要走的路？

同样，将哈希请求并在我的服务器上验证它是否足够？

解决方案

HMAC和数字签名均提供完整性和身份验证：
$ b

• 完整性 - 因为它们都基于散列。 HMAC是基于散列的消息认证码。数字签名被加密散列某些消息。
  
• 验证 - 因为HMAC使用对称密钥，数字签名使用不对称私钥。秘密/私钥只能用于知道它的人=认证。在HMAC收件人一方检查密钥/私钥也是知道秘密的，这就是我们称之为对称的原因。在数字签名中检查收件人的私密/私钥 - 收件人也获得可在可信任的第三方进行检查的公共证书。
  

主差异 - HMAC消息不能由第三方检查/验证，只有知道秘密的人才能验证/验证消息。数字签名的消息具有公共证书，并且任何人都可以通过解密具有附加公钥的消息，计算哈希以及检查特殊信任方的公钥来检查消息所有者。

结论 - 如果您不需要任何人能够检查，使用HMAC是一些真正属于发件人的邮件。

同样，将请求散列并在我的服务器上验证它就足够了吗？

没有。中间人可以修改您的消息并附加修改消息的散列。散列提供了完整性，这意味着消息修改也会改变散列，但黑客不必担心散列相等，因为他只是完全用内容和散列替换消息！ HMAC中的一些秘密用法阻止了这种消息替换：中间人仍然可以改变消息，但他不能重新计算哈希，因为他不知道秘密。

I have an API endpoint where external websites can submit a POST request. What would be the best method to make sure the requests are authentic and also are not tampered with, so they respect the principle of integrity?

Since the data is not valuable such as credit card information, I do not require HTTPS integration.

I have had a look at both HMACs and Digital Signatures, and I believe the second option would be better, yet I am unsure if this is the way to go?

Similarly, would hashing the request and verifying it on my server be enough?

解决方案

Both HMAC and Digital signature provides integrity and authentication:

• integrity - because both of them based on hash. HMAC is hash-based message authentication code. Digital signature is encrypted hash of some message.
• authentication - because HMAC uses symmetric secret key, and digital signature uses assymetric private key. Secret/private keys can be used only with person who knows it = authentication. Checking secret/private keys on recipient side in HMAC - recipient also knows secret that's why we call it symmetric. Checking secret/private keys on recipient side in digital signature - recipient also gets public certificate which can be checked on trusted third party.

Main difference - HMAC message can't be checked/validated by third party, only person who knows secret can validate/authenticate message. Digital signed message has public certificate and any person can check message owner by deciphering message with attached public key, computing hash, and checking public key in special trusted side.

Conclusion - use HMAC if you don't need anybody to be able to check is some message really belongs to sender.

Similarly, would hashing the request and verifying it on my server be enough?

No. Man-in-the-middle can modify your message and attach hash of modified message. Hashing provides integrity which means that message modification will also change the hash but hacker don't worry about hash equality beacuse he simply totally replace message with contents and hash! Some secret usage as in HMAC prevents such message replacements: man-in-the-middle still can change message but he couldn't recompute hash because he doesn't know secret.

这篇关于HTTP请求的真实性和完整性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！