英文:
Do I need a cryptographically secure random number?
问题
我正在使用Go编写一个Web服务。
用户登录后,会返回一个令牌(token),类似于cookie的行为,用户必须在每个后续请求中传递该令牌以便被识别。
-
我的令牌生成器是否需要是“密码学安全”的,即具有高熵的生成方式?
-
如何在Go中实现这一点,最好使用标准库或由密码学专家编写的库,而不是像我这样的人?
英文:
I'm writing a webservice in Go.
Upon login, the user is returned a token, which behaves roughly like a cookie in the sense that the user must pass it in each subsequent request in order to be recognized.
-
Does my token generator has to be "cryptographically secure", ie. generated with high entropy?
-
How can I achieve this in Go, preferably using standard libraries or libraries written by crypto-competent people unlike me?
答案1
得分: 5
生成令牌的加密安全性将会带来好处,可以降低攻击者猜测新会话令牌并获取相应权限的能力。crypto/rand实现了这样一个随机数生成器,包括一些函数,可以用于生成适用于此目的的随机整数、素数和字节。
英文:
It would be beneficial for the token generator to be cryptographically secure, to reduce the ability of attackers to guess new session tokens and acquire the privileges along with them. crypto/rand implements such a random number generator, including functions that allow you to generate random integers, prime numbers and bytes suitable for this.
答案2
得分: 1
是的,可以使用加密哈希。你可以使用类似gorilla/securecookie的工具来生成密钥并提供cookie存储:http://www.gorillatoolkit.org/pkg/securecookie
请注意,如果你仅依赖cookie进行验证,那么可能会遭受重放攻击。可以使用cookie触发服务器端的检查(用户ID == 活动/有效),或者如果ID不存在,则将其退出。
英文:
Yes, use a crytographic hash. You can use something like gorilla/securecookie to generate a key and provide cookie storage: http://www.gorillatoolkit.org/pkg/securecookie
Note that if you are relying upon the cookie alone for verification that you open yourself up to replay attacks. Use the cookie to trigger a server-side check (user ID == active/valid) or bounce then out if the ID doesn't exist.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论