堆栈内存溢出
  简体   繁体   English

存储公钥以进行证书固定的安全性如何?

[英]How safe is storing public key for certificate pinning?

 原文  2015-04-03 15:53:42       android/ ios/ security/ ssl

问题描述

It is usually recommended to store public key for certificate pinning for mobile devices. 通常建议存储公共密钥以用于移动设备的证书固定。 Similar recommendation are made in this owasp article . owasp文章也提出了类似的建议。 Though the application can be modified to tamper with public key itself. 尽管可以修改应用程序以篡改公钥本身。 So how secure is to store public key for certificate pinning? 那么,存储公钥以进行证书固定的安全性如何?

2 个解决方案

解决方案1
 2  2015-04-03 16:05:24

The main question for you is secure against what? 您面临的主要问题是反对什么?

If you mean just generally, like is it safe to store the public key, then yes, it is. 如果您只是一般地说,就像存储公钥一样安全,那么是的。 That's why it is known as the public key. 这就是为什么它被称为公钥。

If you're trying to secure against MiTM attacks from stuff such as a Trusted CA signing a cert it should not have, then just using cert pinning is enough. 如果您试图抵御MiTM攻击,例如不受信任的CA签署证书之类的东西,则仅使用证书固定就足够了。 So long as the cert is part of your application, and base OS does a signature verification of your application, any changes to the cert and by extension to your app should be detected and the application should not be allowed to run. 只要证书是您应用程序的一部分,并且基本操作系统对您的应用程序进行签名验证,就应检测到对证书以及对应用程序的扩展所做的任何更改,并且不应允许该应用程序运行。

If you're trying to prevent the end user from sniffing the HTTPS connection, then yes, he could replace the cert with his own and sniff to his heart's content. 如果您试图阻止最终用户嗅探HTTPS连接,那么可以,他可以用自己的证书替换证书,并嗅探自己内心的内容。 You could verify the cert by comparing the hash of the cert, encrypt the cert etc, but there is no way to guarantee the user will not be able to reverse engineer your application. 您可以通过比较证书的哈希值,对证书进行加密等方式来验证证书,但是无法保证用户将无法对应用程序进行反向工程。

解决方案2
 0  2016-03-11 14:25:04

Revealing the public key is safe. 公开公钥是安全的。 That's the main principle behind public key cryptography. 这是公钥加密背后的主要原理。

If someone can tamper the public key inside your android app, they can also tamper with other parts of the app (for example removing encryption completely or redirecting requests to an attacker). 如果有人可以篡改您的android应用程序中的公钥,那么他们也可以篡改应用程序的其他部分(例如,完全删除加密或将请求重定向到攻击者)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Okhttp - 证书固定和公钥固定 - Okhttp - Certificate Pinning and Public Key Pinning Android-证书固定与公钥固定 - Android-Certificate pinning vs public key pinning 用于 Android 的 OkHttp:不强制执行证书/公钥固定的选项 - OkHttp for Android: Option to NOT enforce Certificate/ public key pinning 在我的应用中固定公钥 - Pinning public key in my app OkHttp3、Retrofit 和证书固定:如何给固定过期 - OkHttp3, Retrofit and certificate pinning: how to give an expiration to the pinning 如何在Android中实现叶/中间证书固定? - How to implement leaf/intermediate certificate pinning in Android? 将公用密钥存储在sharedPreferences中,并进行检索 - Storing public key in sharedPreferences, and Retrieving it Webview 证书固定 - Webview certificate pinning android中websockets的证书固定 - Certificate pinning for websockets in android 使用HttpOK进行证书固定 - Certificate pinning using HttpOK
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM