保护Web应用程序中的公共/私有密钥对
[英]Protecting public/private keypair in web app
问题描述
My application requires a public and private keypair combo in order to create signed URLs to access our assets from Cloudfront. 
我的应用程序需要一个公共和私有密钥对组合,以便创建签名的URL来从Cloudfront访问我们的资产。 The issue I am having is how to protect this keypair so that an unauthorized user could not simply download the keypair themselves, and generate signed URLs without our permission. 我遇到的问题是如何保护此密钥对,以使未经授权的用户无法简单地自己下载密钥对,并在未经我们许可的情况下生成签名的URL。
I considered encrypting the keypair, but this seems like it would do no good, as the encryption key would have to be stored in the client side code, which is visible in Javascript. 我考虑过加密密钥对,但这似乎没有用,因为加密密钥必须存储在客户端代码中,该代码在Javascript中可见。 I cannot think of any other way to protect the keypair from someone who is simply able to use Chrome dev tools. 我想不出任何其他方法来保护密钥对免受那些只能使用Chrome开发人员工具的人的攻击。
Does anyone know of a way that I can protect my keypair without having to store a secret key in the client side code? 有谁知道一种无需在客户端代码中存储密钥即可保护密钥对的方法? I have already considered code obfuscation, but this technique seems very easy to work around. 我已经考虑过代码混淆,但是这种技术似乎很容易解决。 I am looking to find out if anything else is possible. 我正在寻找是否还有其他可能。
Thank you. 谢谢。
1 个解决方案
解决方案1
0 2015-07-21 00:50:15
You don't need to protect your public key because it's public. 您不需要保护您的公共密钥,因为它是公共的。
You'll need to sign your urls on the server, not in the browser. 您需要在服务器上而不是在浏览器中签名URL。
The most secure way to protect your private key is with a hardware security module, but they're not cheap. 保护私钥的最安全方法是使用硬件安全模块,但价格并不便宜。
The next best way is to protect it with access controls on your server. 下一个最佳方法是使用服务器上的访问控制来保护它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.