创建加密 API 密钥的最佳方法
我的应用程序中有一个开放的 API,我想为其提供访问密钥。传入的信息将是用户 ID、资源 ID 和要更新的值。我想要每个资源有一个 API 密钥。
最好我希望能够仅使用提供的数据来验证传入请求的真实性,而不检查任何类型的数据库(非常简单,非常快!)
如果我使用 md5 从资源 ID 生成 API 密钥,用户 ID 和盐,它可能看起来像这样......
authentic_request = md5(user_id + resource_id + salt) == api_key
我的问题实际上是一个关于我应该有多偏执的问题。像上面这样的东西用普通的旧 md5 就足够了吗?另一种选择是使用 openssl 针对 pem 生成密钥,然后可能对结果进行 md5 以保持简洁,这听起来是否过于偏执,甚至在现实中增加了一层安全性?
如有任何想法或替代方案,我们将不胜感激!
谢谢
I have an open API in my application that I'd like to provide access key's for. The incoming info will be a user id, resource id and a value to update with. I'd like one API key per resource.
Preferably I would like to be able to validate the authenticity of an incoming request using only the supplied data and not checking against any sort of database (very simple, very fast!)
If I used md5 to generate the API key from the resource ID, user id and a salt it might look something like this ...
authentic_request = md5(user_id + resource_id + salt) == api_key
My question is really one on how paranoid I should be. Would something like the above with just plain old md5 suffice? Another option would be to use openssl generate the key against a pem and then maybe md5 the result to keep it concise, does that sound overly paranoid or even add a layer of security in reality?
Any ideas or even alternataaives gratefully received!
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这实际上是基于哈希的消息身份验证代码的简单实现。
假设您要根据
(user_id, resource_id)对给出这些密钥,并对您调用salt的值保密,并且您预计不会有严重的攻击尝试,这应该会起作用。然而,最佳实践表明您应该使用比单纯串联更安全的算法来组合密钥和数据,以及更强的摘要算法,例如 SHA-1;有一个标准的 HMAC-SHA1 组合算法可以很好地解决这个问题。第三个值实际上是键,而不是盐;拥有该密钥就可以生成和验证身份验证代码。
This is effectively a simplistic implementation of a hash-based message authentication code.
Assuming you're going to give out these keys on the basis of the
(user_id, resource_id)pair and keep the value you're callingsaltsecret, and you're not expecting a serious attempt at an attack, this should work. However, best practice dictates that you should use a more secure algorithm than mere concatenation to combine the key and data, and a stronger digest algorithm such as SHA-1; there is a standard HMAC-SHA1 combination algorithm which would work nicely for this.The third value is actually a key, not a salt; possession of this key is what allows for both generation and validation of the authentication code.
这取决于您想要防止什么。就其本身而言,这可以防止 API 的随意滥用,但不能防止重放攻击。如果有人嗅探您的流量,那么他们将看到密钥并能够通过重用它来访问资源。在解决方案中添加 SSL 可以防止此类攻击。
当您这样做时,您也可以将 MD5 更改为 SHA-256。
It depends on what you're trying to protect against. On it's own this will prevent casual misuse of your API, but it won't prevent replay attacks. If someone is sniffing your traffic then they'll see the key and be able to access the resource by reusing it. Adding SSL to the solution would prevent this type of attack.
While you're at it you may as well change MD5 to SHA-256.