服务器可以验证客户端应用程序以确保没有进行任何代码更改吗?
这可能不可能,但我希望我的服务器应用程序不仅验证用户名和密码,而且还验证客户端应用程序尚未被修改。
我想生成一个标识符,该标识符随每个构建而变化,但对于同一构建的多次运行保持不变。
我尝试过:
File jarFile = new File(this.getClass().getProtectionDomain().getCodeSource().getLocation().toURI());
int theID = jarFile.lastModified());
但是当放置在不同的机器上时,时间戳会发生变化。
我想要一个 Validate.class 来生成私有 ID。 Validate.class 被发送到服务器,服务器将 Validate.class 与其自己的类版本进行比较,然后验证类中包含的 ID。这在理论上可行吗?或者
It may not be possible, but I would like my Server application to not only validate username and password, but also validate that the Client application has not been modified.
I would like to generate an identifier that changes with each build, yet stays the same for multiple runs of the same build.
I tried:
File jarFile = new File(this.getClass().getProtectionDomain().getCodeSource().getLocation().toURI());
int theID = jarFile.lastModified());
But the time stamp gets changed when placed on different machines.
I'd like to have a Validate.class that generates the private ID. The Validate.class is sent to the Server which compares the Validate.class to its own version of the class, and then validates the ID contained in the class. Would this work in theory? Or
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
不,你不能这样做。客户端正在自行进行计算并将其发送到服务器。攻击者所需要做的就是研究从合法客户端发送的内容(可以是硬编码值或客户端执行的计算),然后在与合法客户端建立自己的连接时简单地重复该值(或计算)。服务器。
No. You cannot do this. The client is making a computation on itself and sending that to the server. All an attacker would need to do is study what is being sent from the legitimate client (be that a hardcoded value or a computation performed by the client) and then simply repeat that value (or computation) when they are making their own connection to the server.
这并不容易,因为用于执行此检查的程序的任何部分都可以撒谎并说它通过了。
您想要的是一种名为远程证明的功能,其中某些硬件/软件可以证明系统处于特定状态的第三方。执行此操作的唯一方法是使用名为 可信平台模块 的硬件,但是,这限制了您的应用程序面向运行某些版本的 Windows 或 Redhat Linux 的用户,以及拥有硬件 TPM 的用户。简而言之,除非你为国家安全局写这篇文章,否则不值得。
Not easily, since any part of the program you used to do this check could be made to lie and say it passed.
What you want is a feature called remote attestation where some piece of hardware/software attests to a third party that the system is in a particular state. The only way to do this is used a piece of hardware called a Trusted Platform Module However, this limits your application to users running certain versions of window or maybe redhat linux, and people with hardware TPMs. In short, unless your writing this forthe NSA, its not worth it.