在url参数中添加简单的MAC?

时间:2021-08-05 04:04:39

I want to add a simple kind of MAC to some of my URL parameters. This is only intended as an additional line of defense against application bugs and caching related problems/bugs, and not intended as any form of replacement of the actual login security in the application. A given business-object-id is already protected by backends to be limited to a single user.

我想在我的一些URL参数中添加一种简单的MAC。这仅用作针对应用程序错误和缓存相关问题/错误的额外防线,而不是用于替换应用程序中的实际登录安全性的任何形式。给定的business-object-id已受后端保护,仅限于单个用户。

So basically I'd like to add a short authentication code to my url parameters, on the size of 2-4 characters. I think I'd like to have a reversible function along the lines of f(business-data-id + logged-on-user-id + ??) = hash, but I am open to suggestions.

所以基本上我想在我的url参数中添加一个简短的身份验证代码,大小为2-4个字符。我想我希望在f(business-data-id + logged-on-user-id + ??)= hash方面有一个可逆功能,但我愿意接受建议。

The primary intention is to stop id guessing, and to make sure that url's are fairly distinct per logged on user. I also don't want something big and clunky like an MD5.

主要目的是停止id猜测,并确保每个登录用户的url是相当明显的。我也不想要像MD5那样大而笨重的东西。

3 个解决方案

#1


Since you aren't looking for cryptographic quality, maybe a 24-bit CRC would fit your needs. While MD5 is "fast" in absolute terms, CRC is, relatively, "blindingly fast". Then the 3-byte CRC could be text-encoded into four characters with Base-64 encoding.

由于您不是在寻找加密质量,因此24位CRC可能符合您的需求。虽然MD5在绝对意义上是“快速的”,但CRC相对来说“非常快”。然后,可以使用Base-64编码将3字节CRC文本编码为四个字符。

Here's a Java implementation of the check used for OpenPGP ASCII-armor checksums:

这是用于OpenPGP ASCII-armor校验和的检查的Java实现:

private static byte[] crc(byte[] data)
{
  int crc = 0xB704CE;
  for (int octets = 0; octets < data.length; ++octets) {
    crc ^= (data[octets] & 0xFF) << 16;
    for (int i = 0; i < 8; ++i) {
      crc <<= 1;
      if ((crc & 0x1000000) != 0)
        crc ^= 0x1864CFB;
    }
  }
  byte[] b = new byte[3];
  for (int shift = 16, idx = 0; shift >= 0; shift -= 8) {
    b[idx++] = (byte) (crc >>> shift);
  }
  return b;
}

I would hash a secret key (which is known only by the server), together with whatever you want to protect—probably the combination of object identifier and user identifier.

我会散列一个秘密密钥(只有服务器知道),以及你想保护的任何东西 - 可能是对象标识符和用户标识符的组合。

#2


If what you want is basically MD5 but smaller, why not just use MD5 but just the last 4 characters? This doesn't add a huge blob to your urls, it's always 4 nice hex digits.

如果您想要的基本上是MD5但更小,为什么不只是使用MD5而只是最后4个字符?这不会给你的网址添加一个巨大的blob,它总是4个漂亮的十六进制数字。

#3


A quick question for which I'm sure there's a good answer for, but why not store this information in a cookie?

一个快速的问题,我确信有一个很好的答案,但为什么不将这些信息存储在cookie中?

Then you could use something big and clunky like MD5 and your URLs would still be pretty.

那么你可以使用像MD5这样大而笨重的东西,你的网址仍然很漂亮。

#1


Since you aren't looking for cryptographic quality, maybe a 24-bit CRC would fit your needs. While MD5 is "fast" in absolute terms, CRC is, relatively, "blindingly fast". Then the 3-byte CRC could be text-encoded into four characters with Base-64 encoding.

由于您不是在寻找加密质量,因此24位CRC可能符合您的需求。虽然MD5在绝对意义上是“快速的”,但CRC相对来说“非常快”。然后,可以使用Base-64编码将3字节CRC文本编码为四个字符。

Here's a Java implementation of the check used for OpenPGP ASCII-armor checksums:

这是用于OpenPGP ASCII-armor校验和的检查的Java实现:

private static byte[] crc(byte[] data)
{
  int crc = 0xB704CE;
  for (int octets = 0; octets < data.length; ++octets) {
    crc ^= (data[octets] & 0xFF) << 16;
    for (int i = 0; i < 8; ++i) {
      crc <<= 1;
      if ((crc & 0x1000000) != 0)
        crc ^= 0x1864CFB;
    }
  }
  byte[] b = new byte[3];
  for (int shift = 16, idx = 0; shift >= 0; shift -= 8) {
    b[idx++] = (byte) (crc >>> shift);
  }
  return b;
}

I would hash a secret key (which is known only by the server), together with whatever you want to protect—probably the combination of object identifier and user identifier.

我会散列一个秘密密钥(只有服务器知道),以及你想保护的任何东西 - 可能是对象标识符和用户标识符的组合。

#2


If what you want is basically MD5 but smaller, why not just use MD5 but just the last 4 characters? This doesn't add a huge blob to your urls, it's always 4 nice hex digits.

如果您想要的基本上是MD5但更小,为什么不只是使用MD5而只是最后4个字符?这不会给你的网址添加一个巨大的blob,它总是4个漂亮的十六进制数字。

#3


A quick question for which I'm sure there's a good answer for, but why not store this information in a cookie?

一个快速的问题,我确信有一个很好的答案,但为什么不将这些信息存储在cookie中?

Then you could use something big and clunky like MD5 and your URLs would still be pretty.

那么你可以使用像MD5这样大而笨重的东西,你的网址仍然很漂亮。