iPhone HTTP 请求安全

发布于 2024-09-08 00:51:34 字数 252 浏览 6 评论 0原文

我对这类事情不太了解,所以请原谅

我正在向服务器发送 HTTP 请求,我希望服务器知道该请求是真实的,所以我有一个带有证书和密钥的 p12(预-由服务器制作)与我的应用程序捆绑在一起,当我向服务器发送请求并收到挑战时,我提取并使用它作为凭证。

但我想知道这有多安全?我的 p12 解密密码位于我的代码中,因此破解我的应用程序二进制文件的人是否无法看到该字符串?如果是这样,那么他们是否能够破坏 p12 并使用它向我的服务器发出恶意请求?

谢谢

I don't know much about these type of things so please excuse the NOOBness

I am sending a HTTP Request to a server and I want the server to know that the request is authentic, so I have a p12 with a certificate and key (pre-made by the server) bundled with my application that I extract and use as a credential when I send my request to the server, and get a challenge.

But im wondering how secure this is? My password to decrypt the p12 is in my code and therefore is that string not able to be seen by someone who cracks my apps binary? If so then wouldn't they be able to decrepit the p12 and use it to make a malicious request to my server?

Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

人海汹涌 2024-09-15 00:51:34

您是否考虑过将 HTTPS 与客户端证书身份验证结合使用?这肯定会解决你的身份验证问题,但我不确定这在 iPhone 中是如何工作的。 (例如,Safari 在选择客户端证书的方式方面存在问题。)
这将在传输级别(HTTP 下的 TLS)进行身份验证。

如果您想在消息级别(在 HTTP 内)执行此操作,您还可以使用通过标头中的私钥签名的摘要。
已经有一个用于摘要的标准标头 (Content-MD5),但我不会推荐 MD5,因为最近发现了一些弱点。也许尝试 SHA-1 或更高版本。
这些摘要不会被签名,因此您需要一个额外的标头来对其进行签名(例如 X-Content-RsaWithSha1),如果服务器不知道是哪个,则可能还需要另一个标头来发送证书提前期待的证书。
您还需要支持在服务器端读取和验证这些自定义标头。

HTTPSec 规范 解决了 HTTP 级别的消息级安全问题,尽管我不知道有任何 iPhone 实现。

关于 p12 文件的安全性,如果您的应用程序打算使用它,如果它捆绑在应用程序中,您将需要以某种方式发送其密码,因此破解二进制文件肯定也会泄露该密码,从而泄露私钥。

Have you considered using HTTPS with client-certificate authentication? This would definitely solve your authentication problem, but I'm not sure how this works within the iPhone. (Safari has issues with the way client certificates are chosen, for example.)
This would do the authentication at the transport level (TLS, under HTTP).

If you want to do this at the message level (within HTTP), you could also use a digest that you sign with the private key in the header.
There already is a standard header for digests (Content-MD5) for digests, but I wouldn't recommend MD5 because of weaknesses discovered recently. Try SHA-1 or above perhaps.
Those digests wouldn't be signed, so you would need an extra header to sign this (e.g. X-Content-RsaWithSha1), and perhaps another one to send the certificate if the server doesn't know which certificate to expect in advance.
You would also need to support reading and verifying those custom headers on the server side.

The HTTPSec specification addresses message-level security at the HTTP level, although I'm not aware of any iPhone implementation.

Regarding the security of the p12 file, if your app intends to use it, you're going to have somehow to ship its password if it's bundled within the app, so cracking the binary would also certainly reveal that password and thus the private key.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文