我正在开发一个公司的移动应用程序。 公司里每个人都有一个@corporate. com 电子邮件地址。 应用程序本身是保密的, 只能安装在员工设备上。 此应用程序与外部服务器通讯, 以存储和检索数据 。
最理想的是,我希望通过提供他们的电子邮件地址,在没有密码的情况下,让人们登录到应用程序中。 以下是我目前的想法:
- A new user opens the app for the first time on a certain device and puts in their email address. The email address is sent to the server, along with a static token embedded in the application (which is the same for all instances of the application).
- The server verifies the token and the fact that the email address is @company.com. It responds with a new token/key for use only with that user and device, which the client stores in plain text locally. That key is effectively the user s password. It is hashed, stored in the server database, and marked as disabled.
- There are two possibilities at this point:
- The server sends an email to that address confirming that they want to log in on a new device. The email contains a link which, when clicked, marks the key as enabled. There would need to be rate-limiting on new device requests so people can t get spammed if someone discovers the token embedded in the app.
- An administrator specifically approves new device requests.
- Every subsequent client request to the server must include the key.
假设所有通信都经过了SSL,这听起来像安全战略吗?是否有更安全或更简单的方法?
此外, 生成将存储客户端的标记的最佳方式是什么? 因为我希望用户在第一次使用该应用程序时只将电子邮件地址放入他们的电子邮件地址, 我相信这个标记永远不会改变 。 这是我目前基于 Drupal s drupal_get_token () 的算法( PHP) :
// Usage: get_token($email) or get_token($client_token)
function get_token($value = ) {
$salt = hash( sha256 , Some static, predefined phrase );
$hmac = base64_encode(hash_hmac( sha256 , $email, $salt, TRUE));
return $hmac;
}
正如你所看到的,它并不能防止平行攻击(例如,如果有人发现预先定义的短语和算法,并且他们可以进入数据库,他们可以产生杂交,并与数据库中储存的术语进行比较),但因为原始关键值已经很长了,我不认为这将比正常密码有效。 此外,我不确定有什么办法可以制造一种动态的盐,攻击者如果能够进入数据库(或者说,如果在那个时候,如果这甚至很重要,因为进入数据库会暴露我们试图保密的数据),那么攻击者就已经无法进入数据库(或者说,如果在那个时候,如果这样做很重要,因为进入数据库会暴露出我们试图保密的数据 ) 。