如何验证客户端应用程序以信任从其发送的消息
基本问题
我如何知道是我的可公开访问(客户端)应用程序正在发送我的服务消息? 我如何知道不是其他应用程序在冒充我的应用程序?
一些背景
目前,我们通过 log4net 和 WCF 将网站上发生的所有错误记录到数据库中。 这种方法效果很好,因为 Web 服务器(可从 Web 访问 - 部分受信任)通过信任关系向应用程序服务器(不可从 Web 访问 - 受信任)上运行的 WCF 服务报告错误。 因此,我们知道所有错误日志都是真实的,我们需要对其进行调查。
在我们的新网站中,我们计划利用 SilverLight 来让事情变得活跃起来。 我们面临的问题是如何将运行在 Web 消费者 PC(不受信任)上的 SilverLight 应用程序的错误报告回我们的应用程序服务器(无法从 Web 访问 - 受信任)。
我们可以通过让客户端通过Web服务器上的服务门面进行通信来解决应用服务器无法访问的问题,这样就不用担心了。 当我们需要确保发送消息的应用程序确实是我们的应用程序而不仅仅是一个模仿者时,就会出现问题。
一些想法
该代码将用C#编写,并在客户端PC本地运行的SilverLight应用程序中运行,因此我们不能保证它不会被反编译并用于向我们的服务发送虚假消息。
上述意味着我们无法使用传统的对称加密,因为我们无法将私钥存储在应用程序中(它可以被反编译)。 同样,我们不能使用非对称加密,因为它可能会被冒充(攻击者可以使用存储的公钥签署消息并发送它们 - 消息看起来是真实的)
在此应用程序的情况下,没有用户身份验证,因此我们不能用它来为我们提供信任。
是的,我知道这很奇怪,因为错误日志比应用程序显示的数据受到更好的保护,但事实就是这样:)
任何想法或帮助将不胜感激!
The basic question
How do I know that it is my publicly accessible (client) application that is sending my service messages? How do I know that it is just not some other application that is impersonating my application?
Some Background
Currently we log all errors that occur on our websites via log4net and WCF to a database. This works well because the web server (accessible from the web - Partly Trusted) reports there errors to the WCF service running on the application server (inaccessible from the web - Trusted) via a trusted relationship. We therefore know that all error logs are real and we need to investigate them.
With our new sites we plan to make use of SilverLight to liven things up a little. The problem we are faced with is how to report errors back from the SilverLight application running on the web consumer's PC (Untrusted) to our application server (inaccessible from the web - Trusted).
We can solve the inaccessibility problem of the application server by making the client communicate via a service facade on the web server, so that is no worry. The problem occurs when we need to be sure that the application sending the messages really is our application and not just an impersonator.
Some Thoughts
The code will be written in C# and be running in a SilverLight application that runs locally on the client PC, so we cannot be guaranteed that it will not be decompiled and used to send fake messages to our service.
The above means that we cannot make use of conventional symmetric encryption because we can't store our private key in the application (it can be decompiled). Similarly we can't use asymmetric encryption since it could just be impersonated (the attacker could just sign messages with the stored public key and send them - the messages would look real)
In the case of this application there is no user authentication, so we cannot use that to provide us with trust.
Yes, I know this is rather bizzare with the error logs being better protected than the data the application displays, but it is the case :)
Any thoughts or help would be greatly appreciated!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
不可能的。
您可以对用户进行身份验证,但不能对应用程序进行身份验证。
假设您决定对应用程序进行数字签名。 然后,客户端应用程序在运行时读取此签名,并根据此签名检查其自己的可执行二进制文件。 没有什么可以阻止对手简单地从您的应用程序中删除此检查。
即使您几乎不可能对您的应用程序进行逆向工程,对手也总是可以查看通信通道并编写一个看起来与您的客户端到您的服务器没有区别的冒名顶替者。
您唯一能做的就是根据用户身份验证服务器上的操作。
Impossible.
You can authenticate users, but not the application.
Let's say you decide to digitally sign the application. This signature is then read at runtime by your client application checking its own executable binaries against this signature. There is nothing that prevents the adversary from simply removing this check from your application.
Even if you make it close to impossible to reverse engineer your application, the adversary could always look at the communication channel and write an imposter that looks indistinguishable from your client to your server.
The only thing you can do is validate the actions on the server against a user identity.
据推测,您的服务器正在创建 Silverlight 应用程序所在的网页。您可以创建一个仅该网页包含的短期临时“密钥”。 当 Silverlight 应用程序启动时,它会读取此密钥并使用它。 由于服务器本身有一个不断变化的、非常短的允许密钥列表,因此您可以更加确定只有您的应用程序正在访问您的服务。
Presumably, your server is creating the web page that the Silverlight application sits in. You could create a short-lived temporary "key" that only that web page contains. When the Silverlight app starts up, it reads this key and uses it. Because the server itself has a constantly changing, very short list of allowed keys, you can be more sure that only your app is accessing your services.
在这个问题上,对您来说最好的建议是聘请安全专家来帮助您。 这不是一个独特或不寻常的问题——考虑任何试图确定它是在与真实客户还是欺诈客户交谈的游戏(例如《魔兽世界》)。 即使付出了巨大的努力(查找暴雪守望者,我不会在此处链接),他们仍然存在问题。 问题归结为你的攻击者到底会投入多少时间和精力来阻止你对他施加压力的尝试。 只要确保在服务器端验证所有内容即可。 :)
The best advice for you in this matter is to hire a security expert to help you. This is not a unique or unusual problem -- consider any game (like WoW for example) that is attempting to determine if it is speaking to a true client or a fraudulent client. Even with a massive amount of effort (look up Blizzard Warden, I'm not going to link it here), they still have issues. The problem boils down to exactly how much time and effort your attacker is going to invest in thwarting your attempts to make thing hard on him. Just be sure to validate everything on the server-side. :)