为什么RSA签名通常不用于RESTful apis?
[英]Why isn't RSA signing usually used in RESTful apis?
问题描述
I develop a simple app that doesn't use (at least, at first) any third-party authorization. 
我开发了一个简单的应用程序,它不使用(至少在开始时)任何第三方授权。 I want to create a RESTful api to be used by iOS/Android/whatever clients, so I've read a bunch of information about implementation of RESTful APIs. 我想创建一个RESTful api供iOS / Android /任何客户端使用,所以我读了很多关于RESTful API实现的信息。 However, the usual ways of implementing them involve sending some sort of secure "token" that is used to sign the requests; 但是,实现它们的常用方法涉及发送某种用于签署请求的安全“令牌”; this leaves the API vulnerable to man-in-the-middle attack, and recommended way to counter it is to use HTTPS. 这使得API容易受到中间人攻击,并且推荐的解决方法是使用HTTPS。
However, reading all this left me wondering, why aren't private/public keys signing (like RSA) used for this. 然而,阅读所有这些让我想知道,为什么不使用私有/公钥签名(如RSA)。 That way, the client would generate private and public keys from the password, send the public key on registration and keep the private key on the client, and even if someone got hold of all the communications between the server and client, he still wouldn't be able to impersonate the client. 这样,客户端将从密码生成私钥和公钥,在注册时发送公钥并将私钥保存在客户端上,即使有人掌握了服务器和客户端之间的所有通信,他仍然不会能够冒充客户。
But I know almost nothing about cryptography and security, so there must be reasons why this method isn't used that I couldn't think of, right? 但我对密码学和安全性几乎一无所知,所以必须有理由说明为什么这种方法没有被我想不到,对吧?
1 个解决方案
解决方案1
0 2014-04-08 10:48:03
At the moment there is no scheme exists allowing asymmetric key pair derivation from the password. 目前还没有允许从密码导出非对称密钥对的方案。
Another problem is with public key registration. 另一个问题是公钥注册。 There is a problem with doing authentication, because anyone can have asymmetric key pair, so some additional information must be provided. 执行身份验证时出现问题,因为任何人都可以拥有非对称密钥对,因此必须提供一些其他信息。 Public key certificate could be such information, however, this requires client to be a user of some public key infrastructure. 公钥证书可以是此类信息,但是,这要求客户端是某些公钥基础结构的用户。 Another option, which is used in practice, is that client public key/certificate is provisioned to the server beforehand. 在实践中使用的另一个选项是预先将客户端公钥/证书提供给服务器。
At the end TLS (HTTPS) is already using asymmetric keys to perform authentication and exchange session keys. 最后,TLS(HTTPS)已经使用非对称密钥来执行身份验证和交换会话密钥。 Client verifies server's public key certificate (server authentication) and server optionally may do the same for client's public key certificate (client authentication). 客户端验证服务器的公钥证书(服务器身份验证),服务器可以选择对客户端的公钥证书(客户端身份验证)执行相同的操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.