署名付き URL のこの実装は、かなり安全ですか? (Is this implementation of signed URLs reasonably secure?)

問題の説明

署名付き URL のこの実装は、かなり安全ですか? (Is this implementation of signed URLs reasonably secure?)

静的ファイルへの短期間のアクセスのために、署名付き URL を実装しようとしています。アイデアは次のとおりです:

  • 有効期限のタイムスタンプを含む URL を生成します (例: https://example.com/file.png?download=false&expires=1586852158)。
  • HMACSHA256 と共有シークレットで署名し、URL の末尾に署名を追加します (例: https://example.com/file.png?download=false&expires=1586852158&signature =6635ea14baeeaaffe71333cf6c7fa1f0af9f6cd1a17abb4e75ca275dec5906d1

サーバーでリクエストを受信したら、signature パラメータを取り出し、残りの URL が HMACSHA256 で署名されていることを確認します同じ共有シークレットは同じ署名になります。

リファレンスソリューション

方法 1:

Your implementation seems to be missing the verification of the expiration time, so any one key would currently work indefinitely.

Otherwise, I don't see anything wrong with this approach in general. You may want to add in a key beyond just the timestamp for identifying the user or request in some way though.

Here's a good article on how the general approach is used for one time passwords which is essentially what you are doing.

https://www.freecodecamp.org/news/how‑time‑based‑one‑time‑passwords‑work‑and‑why‑you‑should‑use‑them‑in‑your‑app‑fdd2b9ed43c3/

方法 2:

Yes, it is secure, as long as the key is treated properly. The hash should be able to ensure data integrity (data in URL are not modified by other people).

Perhaps, one little improvement is to dispose the HMACSHA256 object (maybe by using), but that may not be related to security.

方法 3:

I have one concern. You are saying you want to use HMACSHA256 and a private key, but in security terminology what you're passing to the HMAC is not a private key, it's a shared secret.

If you have to had a public, private key for your sign and verify authentication, I would suggest using the RSACryptoServiceProvider. With RSA you have two keys, public key and private key.

Your client creates a private key and keep it and give its public key to the server. So only client can sign and anyone with public key can verify it.

On another note, no matter what algorithm you ended up using, I would suggest to add the signature to a authorization header instead of query string. This is more common and you don't need to match a regex in each request.

(by Shoe DiamenteMatti PriceKen HungKahbazi)

リファレンスドキュメント

  1. Is this implementation of signed URLs reasonably secure? (CC BY‑SA 2.5/3.0/4.0)

#signing #hmac #.net-core #Security #C#




関連する質問

Google アクセス トークンを使用してユーザー プロファイルを取得するにはどうすればよいですか (How do I get user profile using Google Access Token)

コード署名ツールでMac開発者証明書を使用してJavaアプリケーションに署名するにはどうすればよいですか? (How to use Mac Developer Certificate with codesign tool to sign Java application?)

apk の署名中にエラーが発生しました: 見つかりません (Error during signing apk: unable to find)

JwtSecurityTokenHandler.CreateToken で署名するときに「無効なアルゴリズムが指定されました」 ("Invalid algorithm specified" when signing with JwtSecurityTokenHandler.CreateToken)

アセンブリの FullName プロパティのチェックを無効にできますか? 厳密な命名を使用せずに同様のチェックを実行できますか? (Can a check on the FullName property of an assembly be defeated? Can a similar check be performed without the use of strong naming?)

Cordova Build.json のパスワード セキュリティ (Cordova Build.json password security)

アプリリリース用の keytool による秘密鍵の取得 (Obtaining a private key through the keytool for app release)

android bundleRelease は aab に署名しません (android bundleRelease does not sign the aab)

証明書に iOS 署名証明書を作成する (create ios signing certificate in my certificates)

APKに署名する必要がある理由は何ですか? (What reasons does it have to sign apk?)

signtool.exe エラー: Excel マクロの署名時に SignerSign() が失敗しました (-2147220492/0x800403f4) (signtool.exe Error: SignerSign() failed (-2147220492/0x800403f4) when signing Excel Macro)

署名付き URL のこの実装は、かなり安全ですか? (Is this implementation of signed URLs reasonably secure?)





コメント