我正在研究使用 Apple Pay transactionId 来防御 replay attacks 的可能性通过同一个付款门。防御应该依赖于参与签名且唯一的字段。
但是Payment Token Format Reference将 paymentData.header.transactionId 描述为
Transaction identifier, generated on the device.
这不足以将其视为全局唯一。
最佳答案
这是 ApplePayJS token 的测试示例:
{
"paymentData": {
"version": "EC_v1",
"data": "...",
"signature": "...",
"header": {
"ephemeralPublicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6jY12R9PoL7bzaC3/ibs6q6+g/cqjSkiO3GVFld2NVUA6kRlq0iJRT+XzfmGFvRs/G2qwgmWY8fKu7p6Ktgxug==",
"publicKeyHash": "AJiEM3d+czut7s1t4QdtRBPjSOxw0D6iWSp1MUdXueM=",
"transactionId": "f8f0c804922303decba1a8a4f7c503df1a6314e44e8db5ae7eb6b7fe0323513b"
}
},
"paymentMethod": {
"displayName": "MasterCard 1471",
"network": "MasterCard",
"type": "debit"
},
"transactionIdentifier": "F8F0C804922303DECBA1A8A4F7C503DF1A6314E44E8DB5AE7EB6B7FE0323513B"
}
实际上,它始终具有与嵌套的 paymentData.header.transactionId 匹配的顶级 transactionIdentifier 字段(不区分大小写)。
还有docs说:
transactionIdentifier
A unique identifier for this payment.
This identifier is suitable for use in a receipt.
Google 搜索还发现 How do I process returns with Apple Pay :
In Japan, you can also use the transaction ID on the receipt to find the purchase and process the return.
此外,transactionId 是 64 个十六进制字符或 32 个完整字节长。哪个比 Unique Transaction Identifier format 长。因此,有足够的空间实现真正的全局独一无二。
仍在寻找更直接可信的证据。
关于security - Apple Pay token transactionId 是否全局唯一?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46963611/