堆栈内存溢出
  简体   繁体   English

没有SSL的安全认证

[英]Secure authentication without SSL

 原文  2009-08-31 05:39:36       authentication/ web-applications/ ssl

问题描述

I'm starting to write a small web application and have started thinking about securing login (only used for administration). 我开始编写一个小型Web应用程序,并开始考虑保护登录(仅用于管理)。

If I could, I'd install a CACert or self-signed SSL certificate, since for now I'll be the only one logging in, but my host isn't too accommodating. 如果可以的话,我会安装一个CACert或自签名的SSL证书,因为现在我将是唯一一个登录的人,但我的主机不太适应。

Are there any reasonable options for securing the site without SSL? 没有SSL,是否有合理的选择来保护网站? I've been thinking about options for authentication: 我一直在考虑身份验证的选项:

  1. Implement a salted hash in JavaScript. 在JavaScript中实现salted哈希。 When the login page is loaded, generate a salt server-side. 加载登录页面时,生成salt服务器端。 Send it to the client in the clear and store it in a session variable. 以明文形式将其发送到客户端并将其存储在会话变量中。

  2. Digest authentication. 摘要式身份验证。 I just found this idea browsing SO, and it's probably a lot more reasonable than rolling my own auth. 我刚刚发现这个想法浏览SO,这可能比滚动我自己的身份验证更合理。

  3. OpenID. OpenID的。 It's an open standard, no passwords are required (and I can "hijack" my OpenID provider's SSL to add security to the login process), but I have no idea how OpenID works or how secure it is. 这是一个开放的标准,不需要密码(我可以“劫持”我的OpenID提供商的SSL以增加登录过程的安全性),但我不知道OpenID如何工作或它有多安全。 (Needs research. For example, can an OpenID authentication be replayed?) (需要研究。例如,可以重播OpenID身份验证吗?)

The problem with all of these is that: 所有这些的问题是:

  • Sessions can be hijacked 会话可能被劫持
  • Only login is secure, everything else is in the clear 只有登录是安全的,其他一切都是明确的

The only option I can think of for securing the app after login is some disgusting JavaScript and PHP sending encrypted blobs of ASCII back and forth. 我可以想到在登录后保护应用程序的唯一选择是一些恶心的JavaScript和PHP来回发送加密的ASCII blob。 I don't want to do this. 我不想这样做。

Is there any encryption (for pageloads and POSTs) that can be implemented in my server-side scripting language of choice without the blessing or involvement of my host, but that would be supported by the browser? 浏览器是否支持加密(对于页面加载和POST)可以在我的服务器端脚本语言中实现,而不需要我的主机的祝福或参与? Can sessions be secured from hijacking (practically) without SSL? 是否可以在没有SSL的情况下保护会话免受劫持(实际上)?

What would you do in a situation like this? 在这种情况下你会做什么?

3 个解决方案

解决方案1
 9 已采纳  2009-09-01 21:15:17

You can securely authenticate without needing to implement protection against eavesdropping. 您可以安全地进行身份验证,而无需实施防范窃听的保护。 For example, you can prevent others from sending requests, even though they can read the contents of your requests. 例如,您可以阻止其他人发送请求,即使他们可以读取您的请求内容。 If you need to protect against eavesdropping, I'd recommend just going somewhere where you can use SSL. 如果您需要防止窃听,我建议您去某个可以使用SSL的地方。

If you just need simple authentication without real security, your provider will probably support HTTP Basic. 如果您只需要简单的身份验证而没有真正的安全性,您的提供程序可能会支持HTTP Basic This (along with a good design which limits capabilities, and backups ;) is a reasonable interim solution while you worry about other problems. 这(以及限制功能和备份的良好设计;)是一个合理的临时解决方案,同时您担心其他问题。

For authenticating your identity, OpenID can't be replayed. 为了验证您的身份,无法重播OpenID。 Each authentication sequence is signed. 每个验证序列都已签名。 However, OpenID by itself only lets you establish your identity with the server. 但是,OpenID本身只允许您与服务器建立身份。 It won't let you sign or otherwise authenticate a request. 它不会让您签署或以其他方式验证请求。 OAuth would, but it requires transport encryption for part of the protocol. OAuth会,但它需要传输加密部分协议。

You could sign each request with a shared secret. 您可以使用共享密钥对每个请求进行签名。 This would prevent an attacker from submitting or replaying a request, but the requests themselves can still be read by an eavesdropper. 这可以防止攻击者提交或重播请求,但窃听者仍然可以读取请求本身。 See the documentation for Amazon AWS authentication (which includes client libraries) or flickr's authentication. 请参阅Amazon AWS身份验证(包括客户端库)或flickr身份验证的文档。 The basic protocol is: 基本协议是:

  • require a timestamp (and probably a nonce) as request parameters 需要时间戳(可能还有一个nonce)作为请求参数
  • normalize, sort, concatenate all request parameters 规范化,排序,连接所有请求参数
  • concatenate with URI, host, verb, etc. 与URI,主机,动词等连接
  • hash with secret key 使用密钥哈希
  • send hash in header with request 使用请求在标头中发送哈希值
  • server does the same and compares signature 服务器做同样的事情并比较签名

解决方案2
 3  2009-08-31 05:52:22

如果您认为这是一种有趣的方式,可以使用不同的身份验证和加密方法,但最便宜和最直接的解决方案是获取可以安装SSL证书的主机。

解决方案3
 1  2009-08-31 05:52:13

If you register the remote IP address in the session, it cannot be hijacked. 如果在会话中注册远程IP地址,则无法将其劫持。 Someone trying to use the session with a different IP address could be easily detected. 可以轻松检测到尝试使用具有不同IP地址的会话的人。 PHP Sessions use that by default (and I guess it is not optionable). PHP会话默认使用它(我猜它不可选)。 Simple and efficient solution. 简单有效的解决方案。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在不使用SSL的情况下保护身份验证Cookie - How to secure an authentication cookie without SSL 建立了无需SSL即可安全注册和身份验证的javascript解决方案 - Established javascript solution for secure registration & authentication without SSL 使用Google App Engine在没有SSL的情况下进行安全身份验证? - Secure authentication without SSL using Google App Engine? 不使用SSL保护密码验证 - Securing password authentication without SSL 如何在不使用SSL的情况下保护POST方法? - how to secure POST method without using SSL? 没有SSL的服务器和客户端安全标识 - Server and Client Secure Identification without SSL 没有基于登录的身份验证,有没有办法保护API? - Is there a way to secure an API without login based authentication? 没有has_secure_password的身份验证 - Authentication without has_secure_password 安全的WCF服务,除了SSL协议外还需要哪种身份验证? - Secure WCF service, what sort of authentication needed in addition to SSL protocol? 在没有证书的SSL握手中添加客户端身份验证 - Adding client authentication in SSL handshake without certificate
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM