帮助设计安全网络协议
在应用程序中,我有一个网络服务器和客户端。 握手后,假设客户端发送“userId sessionId SOME_COMMAND param param param”。
我已经识别了客户端,并在服务器上相应地检查了 sessionId,因此身份不再是问题。
但我想防止黑客修改消息或创建虚假消息,例如发送 “userId sessionId SOME_COMMAND paramModified paramModified paramModified”。
我考虑过使用一对私有/公共加密密钥,并在消息本身中发送消息的哈希值。但由于它是在客户端程序中自动化的,我可能必须在握手期间发送公钥。因此黑客可以简单地检索它并生成正确的哈希值。
我还可以使用复杂的加密种子或算法,但我与黑客的经验告诉我,他们会反编译任何东西。
所以底线是:我可以隐藏服务器上运行的所有内容,但无法隐藏客户端程序上的任何内容。我想禁止修改客户端程序应该发送的消息。
我什至不知道这是否可能。我愿意接受任何建议。顺便说一句,我正在使用 Java,尽管它应该不是很相关。谢谢。
In an app, I Have a network server and clients.
After a handshake, let's say the client sends "userId sessionId SOME_COMMAND param param param".
I have already identified the client and the sessionId is checked on the server accordingly, so identity is no more an issue.
But I'd like to prevent a hacker to modify the message or create a false one, for example sending "userId sessionId SOME_COMMAND paramModified paramModified paramModified".
I thought about using a pair of private/public encryption keys, and send the hash of the message in the message itself. But since it's automated in the client program, I may have to send the public key during the handshake. So the hacker could simply retrieve it and generate the proper hash.
I could also use complex encryption seeds or algorithms, but my experience with hackers has shown me that they will decompile anything.
So the bottom line is: I can hide everything that runs on the server, but I can't hide anything on the client program. And I'd like to to forbid to modify the message that the client program is supposed to send.
I don't even know if it's possible. And I'm opened to any suggestion. And by the way, I'm using Java, although it should not be very relevant. Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
忘了它。像其他人一样使用 SSL。有些复杂的问题你甚至还没有开始解决。
Forget it. Use SSL like everybody else. There are complexities which you haven't even begun to address.