Resource Integrity

From MgmtWiki
Revision as of 22:09, 2 May 2022 by Tom (talk | contribs) (Context)

Jump to: navigation, search

Full Title or Meme

The ability of the receiver to determine that a received resource has not be tampered with before it is used.

Context

  • Where a digital device is dependent on the received resource being an exact duplicate of that produced by a trusted party, some sort of authentication code is suppled. Cryptography is used to assure that no attacker could alter the contents without the receiver detecting the alteration.
  • This is also known as a tamper evident protection.

Problems

Solutions

Code Signing

Subresource Integrity

  • SRI for the browser is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match. Using Content Delivery Networks (CDNs) to host files such as scripts and stylesheets that are shared among multiple sites can improve site performance and conserve bandwidth. However, using CDNs also comes with a risk, in that if an attacker gains control of a CDN, the attacker can inject arbitrary malicious content into files on the CDN (or replace the files completely) and thus can also potentially attack all sites that fetch files from that CDN.

References