我有一些问题需要了解如何保护REST API。 当客户端注册时,密码将被哈希并通过HTTPS发送到服务器。 然后,服务器存储哈希(密码+ privatesalt)。
当客户端使用休息服务时,他使用自己的密码创建请求和签名HMAC-SHA1(如此处 )。 服务器端,如果密码在数据库中哈希盐水,如何签署请求与客户端签名进行比较?
我知道数据清晰地显示在网络上,但我只想验证用户身份。
I have some problems to understand how to secure REST API. When a client sign up, the password is hashed and sent to the server through HTTPS. Then, the server store hash(password+privatesalt).
When the client consumes a rest service, he creates the request and a signature HMAC-SHA1 with his own password (like here). Server side, how to sign the request to compare with the client signature if the password is hash-salted in the database ?
I know the data appears in clear over the web, but I just want to authenticate the user.
最满意答案
你是对的。 如果密码在服务器端存储哈希和盐渍,则无法验证在请求上计算的HMAC:MAC需要客户端和服务器之间的共享密钥。
一些解决方案可能是:
使用不是用户密码的专用API密钥。 据我所知,这是AWS的选择。 密码用于对用户帐户的管理操作(例如,更改计费联系人),API密钥仅由API客户端使用。 在这种情况下,如果此API密钥被泄露,则相对容易撤销它并生成一个对安全性影响更小的新密钥。 使用HTTPS和X509客户端证书。 这是一个更重量级的解决方案,可能更复杂的设置。 但是,它对API用户是透明的,因为身份验证被移动到协议的传输层。You are right. If the password is stored hashed & salted on the server side, it is not possible to verify the HMAC computed on the request: a MAC required a shared secret between the client and the server.
Some solutions could be:
using a dedicated API key which is not the user password. As far as I know, this is the AWS choice. The password is used for administrative operation on the user account (e.g. changing the billing contact) and the API key is only used by the API client. In this case if this API key is compromised, it is relatively easy to revoke it and generate a new one with a more limited impact on the security. using HTTPS with X509 client certificates. This is a more heavyweight solution and probably more complex to setup. However it is transparent for the API users since the authentication is moved to the transport layer of the protocol.更多推荐
password,客户,密码,电脑培训,计算机培训,IT培训"/> <meta name="description&qu
发布评论