我一直在读这个:http ://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
这是一篇非常棒的文章。我想到的一个问题是这一步(在文章的后半部分):
4. (OPTIONAL) The only way to protect against “replay attacks” on your API is to include a timestamp of time kind along with the request so the server can decide if this is an “old” request, and deny it. The timestamp must be included into the HMAC generation (effectively stamping a created-on time on the hash) in addition to being checked “within acceptable bounds” on the server.
5. [SERVER] Receive all the data from the client.
6. [SERVER] (see OPTIONAL) Compare the current server’s timestamp to the timestamp the client sent. Make sure the difference between the two timestamps it within an acceptable time limit (5-15mins maybe) to hinder replay attacks.
如果必须发送时间戳,这意味着它必须在客户端和服务器的哈希中,因此必须使用相同的确切时间。现在,这意味着我必须以纯文本或加密的形式发送日期,可能作为标头值。它是否正确?因为如果它很简单,那么重放攻击者就不能轻松地将日期修改到可接受的范围内(出于验证目的)......所以我们可以加密日期,但这意味着哈希和加密数据都在起作用,而不是只是将所有数据加密在一起。
我的评估是否正确,或者有没有办法包括一个安全的日期?还是在这种情况下必须对其进行加密?
谢谢。