堆栈内存溢出
  简体   繁体   English

JSON RPC over TLS是否足够安全?

[英]Is JSON RPC over TLS secure enough?

 原文  2012-12-28 12:27:57       php/ security/ ssl/ json-rpc

问题描述

I intend to have a PHP web service accepting JSON-RPC over TLS (HTTPS). 我打算让一个PHP Web服务接受基于TLS(HTTPS)的JSON-RPC。 Every client will have an API key that I will use for identification purposes. 每个客户端都有一个API密钥,我将用于识别目的。 Is that enough security, is there a JSON-RPC security specific standard? 这是否足够安全,是否有JSON-RPC安全特定标准?

2 个解决方案

解决方案1
 5 已采纳  2012-12-28 13:18:56

That's a fine way of doing things. 这是一种很好的做事方式。 Here's an overview of the requirements and components play in your security scheme: 以下是安全方案中要求和组件的概述:

Checklist 清单

Here's the checklist of what security is needed, and how you would address it: 这是需要什么安全性的清单,以及如何解决它:

  • A third party can't eavesdrop on your communications. 第三方无法窃听您的通信。 HTTPS provides this. HTTPS提供此功能。
  • A third party can't tamper with your communications. 第三方不能篡改您的通信。 HTTPS provides this too. HTTPS也提供此功能。
  • The client can authenticate the server. 客户端可以验证服务器。 HTTPS provides this (*). HTTPS提供此(*)。
  • The server can authenticate the client. 服务器可以验证客户端。

Client authentication 客户端验证

There are lots of way to authenticate the client. 有很多方法可以验证客户端。 Here are a few exaples: 这里有一些exaples:

  • Use the API key to calculate an HMAC of the request and include the HMAC as a header in the request . 使用API​​密钥计算请求的HMAC,并在请求中包含HMAC作为标头 (**) The most secure, but more complicated to set-up. (**)最安全,但设置更复杂。 The key advantage is that should your server be compromised, API keys won't be exposed. 关键优势是,如果您的服务器遭到入侵,API密钥将不会暴露。
  • Include the API key itself in the request . 在请求中包含API密钥本身 Easier to set-up, may be sufficient security depending on your requirements. 设置更简单,可能具有足够的安全性,具体取决于您的要求。
  • ... ...

(*): So long as the client library does. (*):只要客户端库可以。 HTTPS requires that you use a certificate that validates your site corresponds to the domain name. HTTPS要求您使用验证您的站点对应于域名的证书。 Unfortunately, many HTTPS libraries do not validate this by default. 不幸的是,许多HTTPS库默认不对此进行验证。
(**): You should also use a nonce to prevent against replay attacks. (**):您还应该使用随机数来防止重放攻击。

解决方案2
 1  2012-12-28 12:53:29

You could be signing a request using a secret salt (+hashing algo of choise, MD5 will do fine) because this way an eavesdropper cannot obtain the "API key" and forge his own requests. 您可以使用秘密盐签署请求(+哈希算法选择,MD5会很好),因为这样窃听者无法获得“API密钥”并伪造自己的请求。 Use a very long salt. 使用很长的盐。

The salt also acts to protect against intentional altering of a message by a successfull eavesdropper. 盐还可以防止成功的窃听者故意改变消息。

How can there be a man in a middle? 中间怎么会有男人? TLS(SSL) is not much security against man in the middle attacks, unless you issue whitelisted certificates per client. 除非您为每个客户端颁发白名单证书,否则TLS(SSL)在中间攻击中对人员的安全性不大。 For example, the server in the middle (attacker) obtains valid certificates, or the client application is not checking for various certificate validity settings (expiration dates, etc.). 例如,中间的服务器(攻击者)获取有效证书,或者客户端应用程序未检查各种证书有效性设置(到期日期等)。 If not under your control, it is likely that clients of your RPC server will connect without doing any sort of security checks. 如果不在您的控制之下,RPC服务器的客户端可能会在不进行任何安全检查的情况下进行连接。 This is a widespread problem. 这是一个普遍存在的问题。 Eavesdropping usually implies access to your (or your client's) network so this could mean poisoned DNS traffic redirects to the rogue server . 窃听通常意味着访问您(或您的客户端)的网络,因此这可能意味着中毒的DNS流量重定向到流氓服务器

Wether your or your client's network connection is secure enough to exclude the possibility of DNS poisoning, or your client is checking the certificates for validity, or you force the client to use whitelisted SSL certificates, are things only you can influence or decide upon. 您或您客户的网络连接足够安全,以排除DNS中毒的可能性,或者您的客户端正在检查证书的有效性,或者您强制客户端使用列入白名单的SSL证书,这是您可以影响或决定的事情。

You might also want to prevent replay attacks by assigning a unique number for each request (possibly overkill if these API calls are just for reading) for denying duplicate requests. 您可能还希望通过为每个请求分配唯一编号来防止重放攻击(如果这些API调用仅用于读取,则可能是过度杀戮)以拒绝重复请求。

The API keys you mentioned, are generally used when browser side JavaScript clients are involved to track usage. 您提到的API密钥通常在涉及浏览器端JavaScript客户端以跟踪使用情况时使用。 API keys are reissued, when stolen, to identify and disable unauthorized apps (and maybe automatically make a list of the fraudulent domain names for further [lawsuit] action). API密钥在被盗时重新发布,以识别和禁用未经授权的应用程序(并可能自动列出欺诈性域名以进一步[诉讼]行动)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 这足够安全吗? - Is this secure enough? 这个登录系统足够安全吗? - Is this login system secure enough? “图像”规则是否足够安全? - Is 'image' rule secure enough? 这是否足够安全,用于散列 - Is this secure enough, for hashing 这个用户是否足够安全? - Is this user auth secure enough? 这些步骤是否足以保护站点? - Are these steps enough to secure a site? 带有TLS的PHP以实现安全的LDAP - PHP with TLS for secure LDAP PHP密码保护足够安全 - PHP password protection secure enough PHP的检查会议足够安全? - php checking session secure enough? 我的PDO INSERT INTO是否足够安全? - Is my PDO INSERT INTO enough secure?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM