問題の説明
署名付き URL のこの実装は、かなり安全ですか? (Is this implementation of signed URLs reasonably secure?)
静的ファイルへの短期間のアクセスのために、署名付き URL を実装しようとしています。アイデアは次のとおりです:
- 有効期限のタイムスタンプを含む URL を生成します (例:
https://example.com/file.png?download=false&expires=1586852158
)。 - HMACSHA256 と共有シークレットで署名し、URL の末尾に署名を追加します (例:
https://example.com/file.png?download=false&expires=1586852158&signature =6635ea14baeeaaffe71333cf6c7fa1f0af9f6cd1a17abb4e75ca275dec5906d1
サーバーでリクエストを受信したら、signature
パラメータを取り出し、残りの URL が HMACSHA256 で署名されていることを確認します同じ共有シークレットは同じ署名になります。
リファレンスソリューション
方法 1:
Your implementation seems to be missing the verification of the expiration time, so any one key would currently work indefinitely.
Otherwise, I don't see anything wrong with this approach in general. You may want to add in a key beyond just the timestamp for identifying the user or request in some way though.
Here's a good article on how the general approach is used for one time passwords which is essentially what you are doing.
方法 2:
Yes, it is secure, as long as the key is treated properly. The hash should be able to ensure data integrity (data in URL are not modified by other people).
Perhaps, one little improvement is to dispose
the HMACSHA256
object (maybe by using
), but that may not be related to security.
方法 3:
I have one concern. You are saying you want to use HMACSHA256 and a private key, but in security terminology what you're passing to the HMAC is not a private key, it's a shared secret.
If you have to had a public, private key for your sign and verify authentication, I would suggest using the RSACryptoServiceProvider
. With RSA you have two keys, public key and private key.
Your client creates a private key and keep it and give its public key to the server. So only client can sign and anyone with public key can verify it.
On another note, no matter what algorithm you ended up using, I would suggest to add the signature to a authorization header instead of query string. This is more common and you don't need to match a regex in each request.
(by Shoe Diamente、Matti Price、Ken Hung、Kahbazi)