你是否需要一个具有密码学安全性的随机数?

huangapple go评论100阅读模式
英文:

Do I need a cryptographically secure random number?

问题

我正在使用Go编写一个Web服务。

用户登录后,会返回一个令牌(token),类似于cookie的行为,用户必须在每个后续请求中传递该令牌以便被识别。

  1. 我的令牌生成器是否需要是“密码学安全”的,即具有高熵的生成方式?

  2. 如何在Go中实现这一点,最好使用标准库或由密码学专家编写的库,而不是像我这样的人?

英文:

I'm writing a webservice in Go.

Upon login, the user is returned a token, which behaves roughly like a cookie in the sense that the user must pass it in each subsequent request in order to be recognized.

  1. Does my token generator has to be "cryptographically secure", ie. generated with high entropy?

  2. How can I achieve this in Go, preferably using standard libraries or libraries written by crypto-competent people unlike me?

答案1

得分: 5

生成令牌的加密安全性将会带来好处,可以降低攻击者猜测新会话令牌并获取相应权限的能力。crypto/rand实现了这样一个随机数生成器,包括一些函数,可以用于生成适用于此目的的随机整数、素数和字节。

英文:

It would be beneficial for the token generator to be cryptographically secure, to reduce the ability of attackers to guess new session tokens and acquire the privileges along with them. crypto/rand implements such a random number generator, including functions that allow you to generate random integers, prime numbers and bytes suitable for this.

答案2

得分: 1

是的,可以使用加密哈希。你可以使用类似gorilla/securecookie的工具来生成密钥并提供cookie存储:http://www.gorillatoolkit.org/pkg/securecookie

请注意,如果你仅依赖cookie进行验证,那么可能会遭受重放攻击。可以使用cookie触发服务器端的检查(用户ID == 活动/有效),或者如果ID不存在,则将其退出。

英文:

Yes, use a crytographic hash. You can use something like gorilla/securecookie to generate a key and provide cookie storage: http://www.gorillatoolkit.org/pkg/securecookie

Note that if you are relying upon the cookie alone for verification that you open yourself up to replay attacks. Use the cookie to trigger a server-side check (user ID == active/valid) or bounce then out if the ID doesn't exist.

huangapple
  • 本文由 发表于 2013年11月5日 22:32:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/19791384.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定