來自超級安全白皮書:
API 不存盤用戶發送的未散列的 Authentication Key。它僅存盤散列驗證密鑰以防止“傳遞哈希”攻擊(在泄漏資料庫的情況下,攻擊者只需傳遞散列驗證密鑰即可獲得身份驗證并以真實用戶身份執行操作)。服務器始終對從客戶端接收到的身份驗證密鑰進行哈希處理,以防止這種攻擊向量。
如果 Hashed Authentication Key 與資料庫中的結果不匹配,API 會以否定回應進行回應以指示失敗。API 端通過使用雙重 HMAC 驗證( https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/ )避免了計時攻擊。
不幸的是,該鏈接已失效,并且 Google 搜索通常會指向同一來源。當您需要原始密鑰來驗證簽名時,您能解釋一下雙重hmac驗證是如何作業的嗎?謝謝
uj5u.com熱心網友回復:
該 URL 已由 Wayback Machine 存檔,因此您仍然可以閱讀完整的博客文章:http ://web.archive.org/web/20160203044316/https://www.nccgroup.trust/us/about-us/newsroom- and-events/blog/2011/february/double-hmac-verification/
這篇文章包含一個 C# 代碼片段,演示了如何執行雙重 HMAC 驗證。最后很簡單,就像名稱“double HMAC”表示它使用相同的 HMAC 密鑰執行兩次 HMAC 一樣。
public void validateHMACSHA256(byte[]receivedHMAC, byte[]message, byte[]key) {
HashAlgorithm hashAlgorithm = new HMACSHA256(key);
// size and algorithm choice are not secret; no weakness in failing fast here.
if (receivedHMAC.Length != hashAlgorithm.HashSize / 8) {
Throw new CryptographicException("HMAC verification failure.");
}
byte[]calculatedHMAC = hashAlgorithm.ComputeHash(message);
// Now we HMAC both values again before comparing to randomize byte order.
// These two lines are all that is required to prevent many existing implementations
// vulnerable to adaptive chosen ciphertext attacks using the timing side channel.
receivedHMAC = hashAlgorithm.ComputeHash(receivedHMAC);
calculatedHMAC = hashAlgorithm.ComputeHash(calculatedHMAC);
for (int i = 0; i < calculatedHMAC.Length; i ) {
if (receivedHMAC[i] != calculatedHMAC[i]) {
throw new CryptographicException("HMAC verification failure.");
}
}
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/caozuo/471165.html
