JWT,无状态身份验证和安全性
问题说明
我正在研究可扩展性是一个大问题.过去,我使用基于会话的身份验证,但这次决定使用无状态服务器,以促进水平扩展.
I am working on an application where scalability is a big concern. In the past I've used session-based authentication, but decided to go with a stateless server this time around in order to facilitate horizontal scaling.
我不是安全专家,但是在研究JWT时,这些似乎变得非常不安全.我们对密码进行哈希处理的全部原因是,如果我们的数据库遭到破坏,攻击者将无法冒充用户.使用JWT,我们可以将机密存储在服务器上.如果攻击者获得了该机密的访问权,他们是否无法假冒他们想要的任何用户?这不是意味着使用JWT与存储纯文本密码具有相同的安全级别吗?
I am not security expert, but in researching JWTs, it began to seem like these are very insecure. The whole reason we hash passwords is so that if our database is compromised, the attacker cannot impersonate a user. With JWT, we store a secret on the server. If the attacker gains access to the secret, can't they impersonate any user they want? Doesn't this mean that using JWTs would have the same level of security as storing plain text passwords?
我已经读到人们有时会使用reddis来交叉引用JWT,但是服务器并不是无状态的,我根本看不到使用JWT的好处.
I have read that people will sometimes use reddis to cross reference JWTs, but then the server isn't stateless, and I fail to see the benefit of using JWTs at all.
有人可以帮我澄清一下这个问题吗?
Could someone help clarify this issue for me?
正确答案
基于会话的身份验证系统(至少是那些值得使用的系统)也将机密存储在服务器上.就像JWT一样,该机密用于对基于会话的身份验证使用的cookie中存储的数据进行签名.因此,这与JWT没什么不同.
Session based authentication systems, at least any that are worth using, also store a secret on the server. Just like the JWT, the secret is used to sign the data stored in the cookie that session based authentication uses. So this is no different than a JWT.
所有这些都与密码存储完全无关,因为仅当您没有cookie/JWT时才使用密码.
All of this is totally unrelated to password storage, as the password is only used when you don't have a cookie/JWT.
不确定将Redis与JWT结合使用该怎么说...令牌中存储的内容是令牌吗?这似乎毫无意义,因为服务器需要知道的是解密令牌的秘密.
Not sure what to say about using Redis in conjunction with a JWT... What is being stored in Redis, the token? That seems pointless, as all the server needs to know is the secret to decode the token.
以下是使用JWT的一些好处:
Here are some of the benefits to a using a JWT:
- 就像你已经提到的那样,它是无状态的
- 它不受CSRF/XSRF攻击.这些攻击通过欺骗您的浏览器将cookie发送到未生成cookie的服务器来起作用.使用JWT不会发生这种情况b/c浏览器不会像使用cookie那样自动发送JWT.
- JWT是标准化的.有一种明确定义的生成方式,这意味着JWT更具可移植性,并且该过程已由安全社区审查.
- It's stateless, as you've already mentioned
- It's not subject to CSRF/XSRF attacks. These attacks work by tricking your browser into sending the cookie to a server that didn't generate the cookie. This can't happen w/a JWT b/c the browser doesn't send the JWT automatically like it does w/cookies.
- JWT's are standardized. There is a well defined way to generate them, which means that JWT's are more portable and the process has been vetted by the security community.
这篇好文章是转载于:学新通技术网
