安全的Web服务(WCF),无需在使用者应用程序上存储凭据
[英]Secure Webservice (WCF) without storing credentials on consumer application
问题描述
I have a customer that sells a lottery analysis application. 
我有一个销售彩票分析应用程序的客户。 In this application, he consumes a webservice (my service, I mean, belongs to the company I work for now) to get statistical data about lottery results, bets made, amounts, etc., from all across the globe. 在这个应用程序中,他使用了一个Web服务(我的服务是我现在服务的公司)属于我的服务,以便从全球获取有关彩票结果,下注,金额等的统计数据。 The access to this webservice is paid, and each consult costs X credits. 该Web服务的访问权已付费,每个咨询费用为X点数。
Some people have disassembled this lottery application and found the api key/auth key used to access the paid webservice, and started to use it. 有人拆开了此彩票应用程序,发现用于访问付费Web服务的api密钥/身份验证密钥,并开始使用它。
I would like to prevent this from happening again, but I can't find a way to authenticate on the webservice without storing the auth. 我想防止这种情况再次发生,但是如果不存储auth,就无法找到一种在Web服务上进行身份验证的方法。 keys on the application. 应用程序上的键。 Does anyone have any ideas on how to accomplish such task? 是否有人对如何完成这项任务有任何想法?
ps1.Can't ask for the users to input any kind of credentials. ps1。不能要求用户输入任何种类的凭据。 Has to be transparent for them (they shouldn't know what is happening). 必须对他们透明(他们不应该知道发生了什么)。
ps2. ps2。 Can't use digital certificates for the same reason above, not to mention it's easy to retrieve them and we would fall into the original problem. 由于上述相同原因,无法使用数字证书,更不用说检索数字证书很容易了,我们将陷入最初的问题。
Thanks in advance. 提前致谢。
2 个解决方案
解决方案1
1 2010-03-25 14:39:49
Briefly, you cannot do this efficiently. 简而言之,您无法有效地做到这一点。 You face a similar problem as the video game company. 您面临着与视频游戏公司类似的问题。
You might use some form of 'code obfuscation' but it's a form of security through obscurity and you cannot guaranty the effectiveness of this. 您可能会使用某种形式的“代码混淆”,但是它是一种通过模糊处理来确保安全的形式,因此您无法保证其有效性。
You might reduce the exposure by using different keys for each client and, on the server side, ensure a key cannot be used by different client simultaneously. 您可以通过为每个客户端使用不同的密钥来减少暴露,并在服务器端确保不同客户端无法同时使用密钥。 This is basically what the the video game industry does that has a real benefit. 这基本上是视频游戏行业所做的真正有益的事情。
解决方案2
0 2010-03-25 16:13:52
It can't be done. 不能做
You have to either embed the credentials into the application (hard coded or whatever) or prompt the user to enter them. 您必须将凭证嵌入到应用程序中(硬编码或其他方式),或提示用户输入它们。
Locking the web services to a single application is also ineffective since it can be easily discovered and bypassed, just like embedding the credentials. 将Web服务锁定到单个应用程序也是无效的,因为可以轻松地发现和绕过它,就像嵌入凭据一样。
Since you cant control the clients or the environment(restrict access by IP, domain, etc.), IMHO you're pretty screwed :( 由于您无法控制客户端或环境(限制通过IP,域等的访问),恕我直言,您很不高兴:(
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.