本文是小编为大家收集整理的关于在应用程序中实施(安全)Api密钥的处理/解决方法,可以参考本文帮助大家快速定位并解决问题,中文翻译不准确的可切换到English标签页查看源文。
问题描述
我写了一个web应用程序,我想允许其他开发人员从中获取信息.
服务器IM工作不是那个AWSOME和无法处理多种请求,因此想法是为想要查询信息的每个人生成和分配API键.使用API键,我可以限制日常请求,也许收集一些统计信息,以查看对其他开发人员真正有用的信息.
是,我关注它的安全方面.由于API键将被发送到我们的服务器(通过GET/POST等),有人可以用Wireshark嗅到请求,并在没有多大努力的情况下获取开发人员API键,对右?
我考虑生成一个密钥和API密钥.然后,我可以指导其他开发人员连接它们并向我们的API发送哈希.然后,我会验证哈希有效并允许请求......但是同一个问题将持续存在.黑客仍然可以嗅探该哈希并代表其他开发人员的应用程序提出请求.
所以我的问题是
- 如何避免这个问题?
- 还是更好,我甚至有效吗?这是一个真正的问题吗?
- 有没有更好,安全的方式来允许访问我的信息而不使其对其他开发人员太复杂?
你们想什么?
推荐答案
我觉得你在这里试图解决一堆不同的问题.
如果您的目标是限制服务器的请求次数,则应创建一个限制机制.这是非微不足道的,但我将其基于IP地址而不是许可证密钥(单个许可用户可能会浏览大量请求.您可以在不实现许可机制的情况下通过IP地址淋进.
如果要创建许可方案,则需要了解加密等 - 这是一个非琐碎的问题.例如,您如何停止与所有朋友共享其许可证密钥的合法用户?您如何阻止黑客窃取您的钥匙并与他所有的朋友分享它?
此解决方案 - 它们都对您的用户施加了一定程度的痛苦.例如,您可以在HTTPS上运行您的服务;这停止窥探,但减少了性能.您可以为您的服务发出"令牌",其在一定数量的用途后到期;获取新代币需要加密交换(可能会检查您的IP地址).您可能需要"挑战/响应"类型的逻辑(包括IP地址验证).所有这些步骤对您的用户来说更难得更加困难;他们可能不会感谢他们必须做的额外工作.
其他推荐答案
相对于嗅探,您的问题可以使用服务器上的HTTPS解决.
其他推荐答案
如果要限制Access +潜在一些使用率限制,则肯定是在API上放置一些身份验证.如果您使用API键并希望避免嗅探,那么HTTPS绝对是前往的方式.如果这不是一个选项,那么您还可以使用像OAuth 1.0(http://oauth.net/core/1.0/)或Amazon AWS身份验证的哈希样式Auth.这些工作通过用ID和秘密发出API用户.它们通过将客户端的秘密插入到消息正文中,计算哈希并在请求中包括哈希(不是秘密).在传入的侧面,您将哈希与包含在邮件内容上完成的哈希相同的操作,其中包含其特定的密钥.
这意味着您可以在不必通过电线发送秘密的情况下验证发件人(请注意内容仍然不安全 - 但您避免使用每个请求将键传递给电线).缺点是开发商实施它是复杂的.即使您使用的oauth 1.0模式,它有一个图书馆,它是它的一点开销.
我在3scale工作,我们的一些工具可能会有所帮助 - 我们的系统提供API键,OAuth秘密共享以及API率限制的框(http://www.3scale.net和php库是在这里: https://github.com/3scale/3scale_ws_api_for_php ).
问题描述
I wrote a Web Application and I would like to allow other developers to get the information from it.
The server Im working on is not that awsome and cant handle that many request, so the idea is to generate and assign api keys to everyone that wants to query our information. With Api keys I can limit the daily requests and perhaps collect some statistics to see what information is really useful for the other developers.
The thing is, Im concerned about the security aspect of it. Since the Api key is going to be sent to our server (via GET/POST etc), someone could sniff the request with wireshark and get the developers API key without much effort, right?
I thought about generating a secret key and an API key. I could then instruct the other developers to concatenate them and send a hash of it to our API. I would then validate that the hash is valid and allow the request... But then the same problem would persist. A hacker could still sniff that hash and make requests on behalf of the other developer's app.
So my questions are
- How can I avoid this problem?
- Or better yet, Is my concern even valid? Is that a real problem?
- Is there a better and secure way to allow access to my information without making it too complicated for the other developers?
What do you guys think?
推荐答案
I think you're trying to solve a bunch of different questions here.
If your objective is to limit the number of requests to your server, you should create a throttling mechanism. This is non-trivial, but I'd base it on IP address rather than a license key - a single licensed user might swamp your system with lots of requests. You can throttle by IP address without implementing a license mechanism.
If you want to create a licensing scheme, you need to understand cryptography etc. - it's a non-trivial problem. For instance, how do you stop a legitimate user sharing their license key with all their friends? How do you stop a hacker from stealing your key and sharing it with all of his friends?
There are a number of solutions to this - they all impose some degree of pain on your users. For instance, you can run your service on HTTPS; this stops snooping, but reduces performance. You can issue "tokens" for your service which expire after a certain number of uses; getting new tokens requires a cryptographic exchange (which might check your IP address). You might require a "challenge/response" type of logic (including an IP address validation). All these steps make life harder for your users; they probably won't thank you much for the extra work they have to do.
其他推荐答案
With respect to sniff, your problem can be solved with HTTPS on your server.
其他推荐答案
it definitely makes sense to put some authentication on the API if you want to limit access + potential some usage rate limits. If you use an API key and want to avoid sniffing then HTTPS is definitely the way to go. If that's not an option then you can also use a hash-style auth like oAuth 1.0 (http://oauth.net/core/1.0/) or Amazon AWS authentication. These work by issuing your API users with an ID and a Secret. They use the secret on the client side by inserting it into the message body, computing a hash and including the hash (not the secret) in the request. On the incoming side you compare the hash with the same operation done on the message content with their specific secret included.
This means that you can verify the sender without having to send the secret over the wire (note that the content still isn't secure - but you avoid passing the key over the wire with every request). The downside is that it's complex for developers to implement. Even if you use the oAuth 1.0 pattern which there are libraries for it's a bit of an overhead.
I work at 3scale and some of our tools might be helpful also - our systems provide API Keys, oAuth Secret sharing and also API rate limits out of the box (http://www.3scale.net and the PHP libraries are here: https://github.com/3scale/3scale_ws_api_for_php).
更多相关问答
联系站长