我正在阅读亚马逊的身份验证流程,他们使用自定义流程来签署每个请求。
谢谢!
最佳答案
这是documentation不得不说。基本上它归结为时间戳,为了减轻重放攻击,他们建议 using SSL .
Authenticating Requests
Requests to AWS are authenticated by verifying information contained within the request. This verification is performed using the information in the following table.
AWSAccessKeyId 发件人的 AWS 账户由访问 key ID 标识。访问 key ID 用于查找 secret 访问 key 。
签名对需要经过身份验证的请求的 Web 服务的每个请求都必须包含有效的请求签名,否则请求将被拒绝。请求签名是
使用 AWS 分配给开发者账户的 Secret Access Key 计算,这是一个只有 AWS 和开发者知道的共享 secret 。
时间戳 创建请求的日期和时间,以 UTC 字符串表示。此参数值的格式必须与 XML 架构 dateTime 数据类型的格式相匹配。
第二个链接提供:
The best mechanism for defense against a replay attack is to ensure all your requests are made over an SSL connection. If you cannot use SSL, then the mechanism available to you for prevention of replay attacks is the Expires parameter in signature version 2. This requires your client to be synchronized to atomic time (using NTP, or a similar synchronization protocol). If you do not use the Expires parameter, and rely only on the timestamp parameter, your requests are subject to a request expiration period, which varies by service, but can be as long as 15 minutes.
关于web-services - 亚马逊休息服务认证和安全,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/12216321/