“Unless otherwise specified by the Service Provider,the timestamp is
expressed in the number of seconds since January 1,1970 00:00:00 GMT.
The timestamp value MUST be a positive integer and MUST be equal or
greater than the timestamp used in prevIoUs requests.”
来源:http://oauth.net/core/1.0/#nonce
意味着时间戳仅与来自相同源的先前请求相比较,而不是与我的服务器系统时钟相比较。
然后我在这里阅读更详细的描述:http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iii-security-architecture/
(TL; DR? – 跳到下面的粗体部分)
To prevent compromised requests from being used again (replayed),
OAuth uses a nonce and timestamp. The term nonce means ‘number used
once’ and is a unique and usually random string that is meant to
uniquely identify each signed request. By having a unique identifier
for each request,the Service Provider is able to prevent requests
from being used more than once. This means the Consumer generates a
unique string for each request sent to the Service Provider,and the
Service Provider keeps track of all the nonces used to prevent them
from being used a second time. Since the nonce value is included in
the signature,it cannot be changed by an attacker without knowing the
shared secret.Using nonces can be very costly for Service Providers as they demand
persistent storage of all nonce values received,ever. To make
implementations easier,OAuth adds a timestamp value to each request
which allows the Service Provider to only keep nonce values for a
limited time. When a request comes in with a timestamp that is older
than the retained time frame,it is rejected as the Service Provider
no longer has nonces from that time period. It is safe to assume that
a request sent after the allowed time limit is a replay attack. OAuth
provides a general mechanism for implementing timestamps but leaves
the actual implementation up to each Service Provider (an area many
believe should be revisited by the specification). From a security
standpoint,the real nonce is the combination of the timestamp value
and nonce string. Only together they provide a perpetual unique value
that can never be used again by an attacker.
我困惑的原因是如果Nonce只使用一次,为什么服务提供商会根据时间戳拒绝? “服务提供商不再有从那个时间段的nonce”混淆我和声音就像一个nonce可以重复使用,只要它是在最后一次使用的30秒内。
所以,任何人都可以为我清除这一点?如果nonce是一次性使用,我不是时间戳的点,我不是比较时间戳与我自己的系统时钟(因为显然不会可靠)。有意义的是,时间戳将仅相对于彼此,但是使用唯一的随机数要求,似乎不相关。
假设您决定允许时钟和客户端之间的时间差达到15分钟,并且正在跟踪数据库表中的随机数值。表的唯一键将是“客户端标识符”,“访问令牌”,“nonce”和“timestamp”的组合。当有新请求进来时,请检查时间戳是否在您的时钟的15分钟内,然后在表中查找该组合。如果找到,拒绝该调用,否则添加到您的表,并返回请求的资源。每次向表中添加新的随机数时,删除时间戳早于15分钟的“客户端标识符”和“访问令牌”组合的任何记录。
