本文介绍了如何防止在受损的服务器的情况下的中间人攻击?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧! 问题描述 29岁程序员,3月因学历无情被辞! 想象一下,服务器正在向其合作伙伴提供用户的公共密钥,以使加密的通信成为可能。但是,服务器无法访问私钥。无论如何 - 假设服务器已被黑客攻击,并且不会发送请求的公钥:我的问题是 - 如何防止这样的虐待? Alice如何确定她使用的是Bob的公钥,反之亦然?解决方案根据您刚才提出的方案,吨。这里的关键是(如果用于验证密钥的有效性的方法)是否被损害,您将失去。 SSL尝试通过创建签名来避免这种情况链 - 一些(非常仔细守卫,并通过其他方法验证)键标记另一个键,标志另一个键,标志爱丽丝的钥匙。通过验证链中的每个步骤,您可以(原则上)知道链条是有效的 - 但是如果链中任何一个步骤中的私钥都被破坏,您就会丢失。 信任网)。您选择一些您已经确认有效的密钥,例如,验证他们 ,并将其标记为可信任。那么任何可通过少于N个步骤(和/或来自不同信任根的M个不同路径)到达的密钥也被认为是有效的。 如果你真的偏执,你当然可以把钥匙交给另一个人。当然,他们必须确定它不是伪装成你的人... 这就是说,验证密钥的有效性的唯一真正的万无一失的方法是生成它自己...除非您的硬件/操作系统/编译器/大脑也受到影响:) Imagine that a server is serving public keys of the users to their partners to make encrypted communication possible. However, the server does NOT have access to the private keys..Anyway - imagine the server is hacked and it sends not the requested public keys:My question is - how to prevent such abuse? How can Alice be sure that she's using Bob's public key and vice versa? 解决方案 Under the scheme you just proposed, you can't. The key here (no pun intended) is if the method used to verify the validity of the keys is compromised, you lose.SSL tries to avoid this by creating a signature chain - some (very carefully guarded, and verified by other methods) key signs another key, signs another key, signs Alice's key. By verifying each step in the chain you can (in principle) know that the chain is valid - but if the private key along any step in the chain is compromised, you lose.PGP (aka GPG) tries to solve the problem in a different, but similar way - keys can be signed by any number of other keys, forming a graph (called the web of trust). You select some keys that you have confirmed valid by, for example, verifying them in person, and mark them as trusted. Then any keys reachable by less than N steps (and/or from M distinct paths from different trusted roots) are also considered valid.If you're really paranoid, you can, of course, physically hand the key to the other person. Of course, they have to be sure it's not someone disguised as you...That said, the only truly foolproof way of verifying the validity of a key is generating it yourself... unless your hardware/OS/compiler/brain is compromised too :) 这篇关于如何防止在受损的服务器的情况下的中间人攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 上岸,阿里云! 08-04 15:59