堆栈内存溢出
  简体   繁体   English

如何通过HTTP保护Web服务调用

[英]How to secure a web service call over HTTP

 原文  2014-01-23 05:43:29       web-services/ security/ http/ hash/ parameters

问题描述

What would be a best practice to secure a web service call over HTTP communication channel? 在HTTP通信通道上保护Web服务调用的最佳实践是什么?

I aim to using extra parameters in query string to make time-limited hash values (generated by a calculation on client side) to define that sending request is valid. 我的目标是在查询字符串中使用额外的参数来制作限时哈希值(由客户端的计算生成),以定义发送请求有效。 This will be understand by server side application how knows the client algorithm. 服务器端应用程序将了解如何知道客户端算法。 But this way has a risk also when the client application is de-compiled! 但是,这种方式在客户端应用程序反编译时也存在风险!

So what is the best way? 那么最好的方法是什么? I'm looking for a dynamic algorithm, any thought? 我在寻找一种动态算法,有什么想法吗?

1 个解决方案

解决方案1
 0  2014-01-30 16:56:05

From your comment it sounds like your need is to guard against "replay attacks" (someone sending the same request twice, when you only want for them to be able send it once). 从您的评论看来,您的需求是防范“重播攻击”(某人两次发送相同的请求,而您只希望他们能够发送一次)。 A common way to handle this is to use a nonce. 解决此问题的常用方法是使用随机数。 At a basic level, it works like this: 在基本级别上,它的工作方式如下:

1) Client wants to make a request; 1)客户要提出要求; before doing that, it asks the server for a nonce, which is a value which will not be reused and shouldn't be predictable (eg based on the time). 在执行此操作之前,它会向服务器请求一个随机数,该随机数是一个不会被重用且不可预测的值(例如,基于时间)。

2) Client gets the nonce from the server, then makes its request, sending back to the server the nonce it just got from it 2)客户端从服务器获取随机数,然后发出请求,将刚从其获取的随机数发送回服务器

3) If the client (or another client) then tries to make the request already made in step 2 above, the server won't accept it, because it'll contain a nonce which the server has already marked as "used." 3)如果客户端(或另一个客户端)随后尝试做出上述步骤2中已经发出的请求,则服务器将不会接受该请求,因为它将包含一个已被服务器标记为“已使用”的随机数。

That's a slight oversimplification, but that's how nonces work to prevent replay attacks. 这有点过分简化,但这是nonce用来防止重放攻击的方式。

Note: "nonce" comes from "number used once." 注意:“立即”来自“一次使用的号码”。 But nonces don't actually need to be numbers. 但是随机数实际上不需要是数字。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何保护网络服务呼叫 - How to secure web service call 通过HTTPS页面上的HTTP调用Web服务 - Call web service over HTTP on HTTPS page 如何保护网络服务? - how to secure web service? 将Web引用添加到安全的http Web服务 - Adding Web Reference to a secure http web service 调用Web服务(SOAP over HTTP)无状态意味着什么? - What does it imply to call a web service (SOAP over HTTP) stateless? 通过安全连接在PAT端口上使用Web服务 - web service on PAT port over secure connection 通过HTTP的Web服务XML - Web service XML over HTTP 如何保护地理定位网络服务? - How to secure a geolocation web service? 如何使用SSL保护Web服务 - How to secure a web service with ssl 通过https呼叫Web服务 - Call web service over https
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM