3

I wonder if it is possible to have an easy authentication method that is restful, fast and provides a litte security.

SSL is not an option, because I can't rely on a valid SSL Certificate on the server of clients. Also HMAC is not really possible because the body of the request should be signed, when used properly, but in my case that body could be a large file. Further should the authentication be possible with JavaScript/AJAX.

I thought about something really simple. What's the problem with that one:

HEADER: X-Authentication: timestamp:username:sha256(timestamp:password)

The server knows the users password and could check the hash, the timestamp is used to only allow request that took place e.g. 10 seconds before. The replay window would be extremly small, and there are no sessions on the serverside.

If the hash is cracked the attacker knows the password and has unlimited access.

Alternative would be to use

HEADER: X-Authentication: timestamp:username:HMAC(password, 'timestamp+request-method+verb')

What's the way to go? I'm not a security pro, maybe storing the session on the server would be better (but not RESTful)?

4

2 回答 2

3

我构建了一个随机散列算法来满足你的需要,它叫做 jAuthenticate。

您可以从以下网址下载:https ://github.com/thomasoeser/jAuthenticate ​</p>

你可以在这里看到它是如何工作的:http: //furiousgryphon.com/jauthenticatedemo.html

它是一个强大的算法(在我看来)的原因是我使用随机数来影响散列,但我正在发送一个带有散列的模糊数字。

每个哈希仅供一次性使用。

看看,它是免费的开源 (MIT)。

于 2012-10-20T10:26:51.707 回答
1

HTTP 身份验证是可扩展的,因此您可以发明自己的机制(显然风险自负!)。有关详细信息,请参阅https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-p7-auth-20

不要费心发明自己的新 X-header。将现有的 Authorization 标头与您的方案一起使用是一个更好的选择。例如

Authorization: kruemel-auth timestamp:HMAC(password, 'timestamp+request-method+verb')

理想情况下,新方案将连同规范一起在 IANA 注册。正在建立一个注册表来跟踪已开发的身份验证方案。见http://tools.ietf.org/id/draft-ietf-httpbis-authscheme-registrations-03.html

于 2012-09-18T20:19:16.797 回答