I'm designing a web site that will have a mobile companion (initally iPhone only). The web site will be an ASP.Net MVC 3 application. I'll also have an ASP.Net Web API site (MVC 4) to expose services to the iPhone application. The iPhone app will have its own form to capture username and password from the user and send that to the web API in JSON headers.
我正在设计一个网站,该网站将有一个移动伴侣(仅限iPhone)。该网站将是一个ASP。净MVC应用程序3。我还有一个ASP。Net Web API站点(MVC 4)向iPhone应用程序公开服务。iPhone应用程序将有自己的表单,从用户那里获取用户名和密码,并将其发送到JSON标题中的web API。
I want to consider security from the start rather than an after thought. I'm not a security expert by any means. I've done a good deal of research to see how other's are handling authentication of a mobile application client from a web service. I think I've come up with a decent solution that doesn't involve hooking into to third party oAuths.
我想从一开始就考虑安全性,而不是事后考虑。我绝对不是安全专家。我已经做了大量的研究,看看其他人是如何处理来自web服务的移动应用程序客户机的身份验证的。我想我已经想出了一个体面的解决方案,不需要和第三方oAuths勾搭。
I would greatly appreciate any and all opinions, advice, criticism and general WTFs that any of you can offer. :)
我将非常感谢你们的任何意见,建议,批评和一般的WTFs。:)
My biggest concerns are:
我最大的问题是:
- Ensuring that calls made to the web API are authorized
- 确保对web API的调用得到授权
- Minimizing the risk of replay attacks (hence timestamps in the calls below)
- 最小化重播攻击的风险(因此在下面的调用中使用时间戳)
The iPhone app will be developed as such:
Two strings are hard-coded into the iPhone app (same values for every user):
iPhone应用程序的开发过程如下:两个字符串被硬编码到iPhone应用程序中(每个用户的值相同):
-
Application ID
This is a string that is used to identify the type of client that is accessing the web API (iPhone, Android, Windows phone, etc). - 应用程序ID这是一个字符串,用于标识访问web API的客户机类型(iPhone、Android、Windows phone等)。
-
Application's Hashing Salt
This is a string that is used to salt hashes for user-agnostic requests. - 应用程序的哈希- Salt这是一个字符串,用于对用户无关的请求进行哈希。
Two strings are stored in the iPhone app's local database (values unique to each user):
两个字符串存储在iPhone应用程序的本地数据库中(每个用户的值是唯一的):
-
API User Access Token
This is a string (token) provided to the client by the web API upon successful authentication and allows the client to access the web API without sending the username and password in each request.
- API用户访问令牌是web API在成功的身份验证时提供给客户机的字符串(令牌),并允许客户端访问web API,而无需在每个请求中发送用户名和密码。
-
User's Hashing Salt
This is a string that is used to salt hashes for requests made against established user accounts. - 用户的散列盐这是一个字符串,用于对已建立的用户帐户的请求进行盐哈希。
The iPhone will make calls to the web API in the following manner:
API Method: Create Account
Client Sends:
iPhone对web API的调用方式如下:API方法:Create Account Client send:
- New Account Data (Username, Password, First Name, Last Name, etc..)
- 新帐户数据(用户名、密码、姓名、姓氏等)
- Application ID
- 应用程序ID
- UTC Timestamp
- UTC时间戳
- Hash of UTC Timestamp + Application ID salted with Application's Hashing Salt
- UTC时间戳散列+应用程序ID加应用程序的散列
API Returns:
API返回:
- New User's Hashing Salt
The idea here is that, when creating an account, I can use the application's hardcoded salt since it's not a huge security risk if that salt ever got out (through decompilation or some other means).
But for methods that access and modify the user's data I'll use a salt that is owned only by that user so it can't be used by an attacker to impersonate others. - 新用户的散列盐这里的想法是,当创建一个帐户时,我可以使用应用程序的硬编码盐,因为如果该盐被释放出来(通过反编译或其他方法),这并不是很大的安全风险。但是对于访问和修改用户数据的方法,我将使用只有该用户拥有的salt,这样攻击者就不能使用它来模拟其他用户。
API Method: Get Account
(Used for getting user's hashing salt for accounts that were created on the web site but haven't yet been synced on the iPhone. This happens when a user tries to log in on the iPhone and iPhone detects that it has no record for that username.)
Client Sends:
API方法:获取帐户(用于获取用户在web站点上创建但尚未在iPhone上同步的帐户的散列。当用户试图登录iPhone时,iPhone会检测到它没有该用户名的记录。客户端发送:
- Username
- 用户名
- Password (hashed with Application's Hashing Salt)
- 密码(使用应用程序的散列盐进行散列)
- Application ID
- 应用程序ID
- UTC Timestamp
- UTC时间戳
- Hash of UTC Timestamp + Application ID salted with Application's Hashing Salt
- UTC时间戳散列+应用程序ID加应用程序的散列
API Returns:
API返回:
- Existing User's Hashing Salt
- 现有用户的散列盐
API Method: Log In (Authenticate)
Client Sends:
API方法:登录(认证)客户端发送:
- Username
- 用户名
- Password (hashed with User's Hashing Salt)
- 密码(用用户的哈希盐哈希)
- Application ID
- 应用程序ID
- UTC Timestamp
- UTC时间戳
- Hash of UTC Timestamp + Application ID salted with User's Hashing Salt
- UTC时间戳散列+应用程序ID加用户哈希盐
API Returns:
API返回:
- API User Access Token
- API用户访问令牌
API Method: Any Command (i.e. Create Post, Update Profile, Get Messages, etc...)
Client Sends:
API方法:任何命令(例如创建Post、更新概要文件、获取消息等)客户端发送:
- Command Data
- 命令数据
- API User Access Token
- API用户访问令牌
- Application ID
- 应用程序ID
- UTC Timestamp
- UTC时间戳
- Hash of UTC Timestamp + Application ID + API User Access Token salted with User's Hashing Salt
- UTC时间戳的散列+应用程序ID + API用户访问令牌,使用用户的散列盐进行存储
3 个解决方案
#1
3
My suggestions
我的建议
- Authentication and Authorization. Build it on 2 different servers(In some projects I have used 3 as well). Reverse proxy servers are really good with this. Authenticate on one server and authorize it on the other.
- 身份验证和授权。在两个不同的服务器上构建它(在一些项目中,我也使用了3个)。反向代理服务器在这方面做得很好。在一台服务器上进行身份验证,并在另一台服务器上对其进行授权。
This is the most important step I think that is needed in mobile security that use Web APIs.
这是我认为在使用Web api的移动安全中所需要的最重要的一步。
-
Encapsulate everything.
封装了一切。
-
Use SSL for all secure information. In my case I use it for everything.
使用SSL获取所有安全信息。在我的情况下,我什么都用。
-
For your timestamp select a suitable time for which you can have authorization. Do not make this very short as your app will become slow or too long as network sniffers can access the packets.
对于您的时间戳,选择一个您可以获得授权的合适时间。不要做得太短,因为你的应用会变慢或太长,因为网络嗅探器可以访问数据包。
If you want a 3 server architecture For your requests have an application key as well that you use to generate a access key (from Server 1). This access key will authenticate your requests which after successful authentication(from server 2) you can use that key to authorize your requests from another server(server 3)
如果你想要一个3服务器架构你的请求应用程序关键用来生成一个访问密钥(从服务器1)。这种访问关键成功的身份验证之后将您的请求进行身份验证(从服务器2)你可以使用该密钥授权请求另一个服务器(服务器3)
The requests you have mentioned are standard norms. Don't really see a problem with that.
您提到的请求是标准规范。不要觉得这有什么问题。
#2
4
I did it using asp.net mvc 4.0/web api basic membership. you may find it helpful.
我使用asp.net mvc 4.0/web api基本会员。你可能会发现它很有帮助。
Yeah, Use SSL for sure
是的,一定要用SSL
https://github.com/aamir-poswal/Mobile-Apps-Authentication-Authorization-ASP.NET-WEB-MVC-4.0
https://github.com/aamir poswal/mobile -应用程序-认证授权- asp.net web mvc - 4.0
#3
4
In VS 2013 you can use the "Asp MVC SPA Application" template to generate a working implementation that is generating a Oauth2 token bearer on login and authorizing it for WebApi controller calls using [Authorize] attributes. It uses Membership and Entity Framework to store users and hashes locally in a SQL Server. Just delete the asp mvc parts you don't need and keep the Auth part for WebApi. More details here: http://msdnrss.thecoderblogs.com/2013/09/understanding-security-features-in-the-spa-template-for-vs2013-rc/
在VS 2013中,您可以使用“Asp MVC SPA应用程序”模板生成一个工作实现,该实现在登录时生成Oauth2令牌持有者,并使用[Authorize]属性授权它用于WebApi控制器调用。它使用成员关系和实体框架在SQL服务器中本地存储用户和散列。只需删除不需要的asp mvc部分,并保留WebApi的Auth部分。更多细节在这里:http://msdnrss.thecoderblogs.com/2013/09/understanding-security-features-in-the-spa-template-for-vs2013-rc/
#1
3
My suggestions
我的建议
- Authentication and Authorization. Build it on 2 different servers(In some projects I have used 3 as well). Reverse proxy servers are really good with this. Authenticate on one server and authorize it on the other.
- 身份验证和授权。在两个不同的服务器上构建它(在一些项目中,我也使用了3个)。反向代理服务器在这方面做得很好。在一台服务器上进行身份验证,并在另一台服务器上对其进行授权。
This is the most important step I think that is needed in mobile security that use Web APIs.
这是我认为在使用Web api的移动安全中所需要的最重要的一步。
-
Encapsulate everything.
封装了一切。
-
Use SSL for all secure information. In my case I use it for everything.
使用SSL获取所有安全信息。在我的情况下,我什么都用。
-
For your timestamp select a suitable time for which you can have authorization. Do not make this very short as your app will become slow or too long as network sniffers can access the packets.
对于您的时间戳,选择一个您可以获得授权的合适时间。不要做得太短,因为你的应用会变慢或太长,因为网络嗅探器可以访问数据包。
If you want a 3 server architecture For your requests have an application key as well that you use to generate a access key (from Server 1). This access key will authenticate your requests which after successful authentication(from server 2) you can use that key to authorize your requests from another server(server 3)
如果你想要一个3服务器架构你的请求应用程序关键用来生成一个访问密钥(从服务器1)。这种访问关键成功的身份验证之后将您的请求进行身份验证(从服务器2)你可以使用该密钥授权请求另一个服务器(服务器3)
The requests you have mentioned are standard norms. Don't really see a problem with that.
您提到的请求是标准规范。不要觉得这有什么问题。
#2
4
I did it using asp.net mvc 4.0/web api basic membership. you may find it helpful.
我使用asp.net mvc 4.0/web api基本会员。你可能会发现它很有帮助。
Yeah, Use SSL for sure
是的,一定要用SSL
https://github.com/aamir-poswal/Mobile-Apps-Authentication-Authorization-ASP.NET-WEB-MVC-4.0
https://github.com/aamir poswal/mobile -应用程序-认证授权- asp.net web mvc - 4.0
#3
4
In VS 2013 you can use the "Asp MVC SPA Application" template to generate a working implementation that is generating a Oauth2 token bearer on login and authorizing it for WebApi controller calls using [Authorize] attributes. It uses Membership and Entity Framework to store users and hashes locally in a SQL Server. Just delete the asp mvc parts you don't need and keep the Auth part for WebApi. More details here: http://msdnrss.thecoderblogs.com/2013/09/understanding-security-features-in-the-spa-template-for-vs2013-rc/
在VS 2013中,您可以使用“Asp MVC SPA应用程序”模板生成一个工作实现,该实现在登录时生成Oauth2令牌持有者,并使用[Authorize]属性授权它用于WebApi控制器调用。它使用成员关系和实体框架在SQL服务器中本地存储用户和散列。只需删除不需要的asp mvc部分,并保留WebApi的Auth部分。更多细节在这里:http://msdnrss.thecoderblogs.com/2013/09/understanding-security-features-in-the-spa-template-for-vs2013-rc/