是否可以强制仅从已知客户端进行 Web 服务调用?

发布于 2024-08-02 18:32:44 字数 148 浏览 12 评论 0原文

场景:

我可以完全控制的公开可用的 Web 服务。 但我只希望这个特定的桌面应用程序(我发布的应用程序)能够访问 Web 服务。 我可以在桌面客户端中存储一个秘密密码,但这很容易被破解。

是否有任何已知的实现可以强制执行此操作? PKI、非对称密钥?

Scenario:

A publically available Web Service that I have full control over.
But I only want this specific desktop application (my published application) to have access to the Web Service.
I could store a secret password in the desktop client, but that would be easy to crack.

Is there any known implementation that enforces this?
PKI, assymmetric keys?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

夏末染殇 2024-08-09 18:32:44

如果公众能够访问此桌面应用程序的副本,任何优秀的逆向者都将能够破解它并“模仿”其与服务器的交易。无论您的密码学有多安全,您的应用程序加密/解密数据所需的所有内容都包含在二进制文件中,因此破解者只需从中挖掘出来即可。

密码学的目标是在数据传输时保护数据免受“中间人”黑客的侵害,但如果您可以访问任何对等方,则可以轻松破解它。

您的服务器绝不能信任来自客户端的内容。

[编辑恢复]

尽管您不能 100% 保证服务器的假定客户端是不是您的应用程序或第三方制作的某些“模拟器”,但您可以使事情变得复杂。这是游戏反作弊中的常见做法,有时会随机地向客户端应用程序提出一个棘手的问题,例如“你的 main.exe 从偏移量 A 到偏移量 B 的哈希值是多少?”或“从现在开始,数据包类型 0x07 与数据包类型 0x5f 交换”。一旦检测到假冒,服务器就会进入“愚蠢模式”,出现故障,并将他们的 IP/帐户列入此模式的黑名单几个小时,这样他们就无法确定他们的程序做错了什么。

如果您检测到有人正在构建模拟器,请让他们重新开始:打乱数据包类型表、加密表、更改某些数据包格式并强制您的客户端更新。你暂时不会看到饼干打扰你......哈哈

If the public will have access to copies of this Desktop App, any good reverser will be able to crack it and "imitate" its transactions with the server. It doens't matter how secure is your cryptography, everything you app needs to encrypt/decrypt data is included in the binaries, so the cracker only needs to dig it out of it.

The objective of cryptography is to protect data while it is being transfered, from "middle-man" hackers, but if you have access to anyone of the peers, you can easily crack it.

Your server must never trust what comes from the client side.

[edit resuming]

Despite you cannot 100% guarantee a supposed client to your server is or isn't your App or some "emulator" made by thirdies, you can complicate things to them. Its a common practice in game anti-cheats to sometimes, randomly, make the client App a trick question like "whats the hash of your main.exe from offset A to offset B?" or "from now on packet type 0x07 swaps with packet type 0x5f". Once a fake is detected, server enter in a "silly mode", act malfunctional, and blacklist their IP/account to this mode for several hours so they cannot have sure of what their program is doing wrong.

If you detect someone is building an emulator, make them start all over again: jumble the packet type tables, cryptography tables, change some packet formats and force your clients to update. You won't see crackers bothering you for a while... LOL

白昼 2024-08-09 18:32:44

WS-Security 提供 X509 加密。

该实现的一部分包括仅向特定客户端提供生成的公钥的可能性。这样,只有您选择的客户端才能连接到该服务。

WS-Security provides for X509 encryption.

Part of that implementation includes the possibility of only giving specific clients the generated public key. That way, only your selected clients can connect to the service.

妄断弥空 2024-08-09 18:32:44

最简单的方法是使用客户端和服务器证书进行消息安全。最好的方法是在服务器计算机中导入客户端证书,并在 app.config 文件中对客户端证书指纹进行硬编码。另一种方法是我以前没有尝试过的证书协商。

如果您使用 IIS 托管服务,则使用 SSL 的客户端证书是另一种选择。

WCF 安全性 上的 MSDN 链接。

The easiest way is message security using client and server certificates. The best way is to import the client certs in your server machines and hard code the client cert thumbprint in the app.config file. The other way is negotiation of certs which I haven't tried before.

If you are using IIS to host the service then client certificates using SSL is another option.

MSDN link on WCF Security.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文