为全息远程处理启用连接安全性Enabling connection security for Holographic Remoting

重要

本指南特定于 HoloLens 2 上的全息远程处理。This guidance is specific to Holographic Remoting on HoloLens 2.

此页概述了用于全息远程处理的网络安全。This page gives you an overview of network security for Holographic Remoting. 你将找到有关You'll find information about

  • 全息远程处理的上下文中的安全性以及可能需要它的原因security in the context of Holographic Remoting and why you might need it
  • 基于不同用例的建议度量值recommended measures based on different use cases
  • 实现全息远程处理解决方案中的安全性implementing security in your Holographic Remoting solution

全息远程处理安全Holographic Remoting security

全息远程处理通过网络交换信息。Holographic Remoting exchanges information over a network. 如果没有合适的安全措施,则相同网络上的攻击者可能会危及通信的完整性或访问机密信息。If no security measures are in place, adversaries on the same network may compromise the integrity of the communication or access confidential information.

Windows 应用商店中的示例应用程序和全息远程处理播放机处于禁用安全状态。The sample apps and the Holographic Remoting Player in the Windows Store come with security disabled. 这样做会使示例更易于理解。Doing so makes the samples easier to understand. 它还可帮助你更快地开始进行开发。It also helps you to get started more quickly with development.

对于现场测试或生产环境,我们强烈建议在全息远程处理解决方案中启用安全性。For field testing or production, we strongly recommend enabling security in your Holographic Remoting solution.

全息远程处理中的安全性在为用例设置正确时,可提供以下保证:Security in Holographic Remoting, when set up correctly for your use case, gives you the following guarantees:

  • 真品: 播放机和远程应用可以确保另一方是他们宣称的身份Authenticity: both player and remote app can be sure the other side is who they claim to be
  • 机密性: 任何第三方都无法读取播放机与远程应用之间交换的信息Confidentiality: no third party can read the information exchanged between player and remote app
  • 完整性: 播放机和远程可检测任何正在传输的通信更改Integrity: player and remote can detect any in-transit changes to their communication

重要

若要能够使用安全功能,需要使用Windows Mixed RealityOpenXR api 来实现自定义播放器和自定义远程应用。To be able to use security features, you will need to implement both a custom player and a custom remote app using either Windows Mixed Reality or OpenXR APIs.

备注

从版本 2.4.0 开始,可以创建使用 OpenXR API 的远程应用。Starting with version 2.4.0 remote apps using the OpenXR API can be created. 下面是有关如何在 OpenXR 环境中建立安全连接的概述。An overview on how to establish a secure connection in an OpenXR environment can be found below.

规划安全实现Planning the security implementation

当你在全息远程处理中启用安全性时,远程处理库将自动对通过网络交换的所有数据启用加密和完整性检查。When you enable security in Holographic Remoting, the remoting library will automatically enable encryption and integrity checks for all data exchanged over the network.

不过,确保正确的身份验证需要额外的工作。Ensuring proper authentication requires some extra work though. 需要执行的具体操作取决于你的用例,本部分的其余部分介绍了如何查明必要的步骤。What exactly you need to do depends on your use case, and the rest of this section is about figuring out the necessary steps.

重要

本文仅提供一般指导。This article can only provide general guidance. 如果你不确定,请考虑咨询一个安全专家,它可以向你介绍特定于用例的指导。If you feel unsure, consider consulting a security expert that can give you guidance specific to your use case.

首先是一些术语:描述网络连接时,将使用术语 " 客户端 " 和 " 服务器 "。First some terminology: when describing network connections, the terms client and server will be used. 服务器是在已知的终结点地址上侦听传入连接的端,而客户端是连接到服务器终结点的服务器。The server is the side listening for incoming connections on a known endpoint address, and the client is the one connecting to the server's endpoint.

备注

客户端和和服务器角色不与应用程序是充当播放机还是作为远程角色关联。The client and and server roles are not tied to whether an app is acting as a player or as a remote. 尽管示例在服务器角色中具有播放器,但如果角色更适合你的用例,则可以很容易地反转角色。While the samples have the player in the server role, it's easy to reverse the roles if it better fits your use case.

规划服务器到客户端身份验证Planning the server-to-client authentication

服务器使用数字证书向客户端证明其身份。The server uses digital certificates to prove its identity to the client. 客户端在连接握手阶段验证服务器的证书。The client validates the server's certificate during the connection handshake phase. 如果客户端不信任服务器,此时它将结束连接。If the client doesn't trust the server, it will end the connection at this point.

客户端如何验证服务器证书,以及可以使用的服务器证书种类取决于用例。How the client validates the server certificate, and what kinds of server certificates can be used, depends on your use case.

使用案例1: 服务器主机名不是固定的,或者服务器没有按主机名进行寻址。Use case 1: The server hostname isn't fixed, or the server isn't addressed by host name at all.

在此用例中, (或可能) 为服务器的主机名颁发证书是不切实际的。In this use case, it isn't practical (or even possible) to issue a certificate for the server's host name. 建议改为验证证书的指纹。We recommendation you validate the certificate's thumbprint instead. 与人为指纹一样,指纹会唯一标识证书。Like a human fingerprint, the thumbprint uniquely identifies a certificate.

很重要的一点是,将指纹传达给客户端带外。It's important to communicate the thumbprint to the client out-of-band. 也就是说,不能通过用于远程处理的同一网络连接发送它。That means, you can't send it over the same network connection that's used for remoting. 相反,您可以手动将它输入到客户端的配置中,或让客户端扫描 QR 代码。Instead, you could manually enter it into the client's configuration, or to have the client scan a QR code.

用例2: 可以通过稳定的主机名来访问服务器。Use case 2: The server can be reached over a stable host name.

在此用例中,服务器具有特定的主机名,并且你知道此名称不太可能更改。In this use case, the server has a specific host name, and you know this name isn't likely to change. 然后,可以使用颁发给服务器的主机名的证书。You can then use a certificate issued to the server's host name. 将基于主机名和证书的信任链来建立信任。Trust will be established based on the host name and the certificate's chain of trust.

如果选择此选项,则客户端需要事先知道服务器的主机名和根证书。If you choose this option, the client needs to know the server's host name and the root certificate in advance.

规划客户端到服务器的身份验证Planning the client-to-server authentication

客户端使用自由格式的令牌对服务器进行身份验证。Clients authenticate against the server using a free-form token. 此标记应该包含的内容将再次依赖于你的使用情况:What this token should contain will again depend on your use case:

使用案例1: 仅需验证客户端应用的标识。Use case 1: You only need to verify the client app's identity.

在此用例中,共享机密就足够了。In this use case, a shared secret can be sufficient. 此机密必须足够复杂,才能被猜出。This secret must be complex enough that it can't be guessed.

良好的共享机密是一个随机 GUID,它是在服务器和客户端的配置中手动输入的。A good shared secret is a random GUID, which is manually entered in both the server's and client's configuration. 例如,若要创建一个,可以 New-Guid 在 PowerShell 中使用命令。To create one you can, for example, use the New-Guid command in PowerShell.

请确保此共享机密永远不会通过不安全的通道进行通信。Make sure this shared secret is never communicated over insecure channels. 远程处理库确保始终以加密的形式发送共享机密,并确保只发送到受信任的对等方。The remoting library ensures that the shared secret is always sent encrypted, and only to trusted peers.

用例2: 还需要验证客户端应用程序的用户身份。Use case 2: You also need to verify the identity of the client app's user.

共享密钥不足以涵盖此用例。A shared secret won't be enough to cover this use case. 相反,你可以使用标识提供程序创建的标记。Instead, you can use tokens created by an identity provider. 使用标识提供者的身份验证工作流如下所示:An authentication workflow using an identity provider would look like this:

  • 客户端向标识提供程序授权,并请求令牌The client authorizes against the identity provider and requests a token
  • 标识提供程序生成一个令牌并将其发送到客户端The identity provider generates a token and sends it to the client
  • 客户端通过全息远程处理将此令牌发送到服务器The client sends this token to the server through Holographic Remoting
  • 服务器根据标识提供程序验证客户端的令牌The server validates the client's token against the identity provider

标识提供程序的一个示例是 Microsoft 标识平台One example of an identity provider is the Microsoft identity platform.

与上一用例类似,请确保这些标记不通过不安全的通道发送或公开。Like in the previous use case, make sure these tokens aren't sent through insecure channels or otherwise exposed.

实现全息远程处理安全Implementing holographic remoting security

请记住,如果要启用连接安全性,则需要实现自定义远程和播放器应用。Remember that you need to implement custom remote and player apps if you want to enable connection security. 你可以使用提供的示例作为你自己的应用的起点。You can use the provided samples as starting points for your own apps.

若要启用安全性,请调用 ListenSecure() 而不是 Listen() ,而 ConnectSecure() 不是 Connect() 建立远程处理连接。To enable security, call ListenSecure() instead of Listen(), and ConnectSecure() instead of Connect() to establish the remoting connection.

这些调用需要提供某些接口的实现,以便提供和验证与安全相关的信息:These calls require you to provide implementations of certain interfaces for providing and validating security-related information:

  • 服务器需要实现证书提供程序和身份验证验证程序The server needs to implement a certificate provider and an authentication validator
  • 客户端需要实现身份验证提供程序和证书验证程序。The client needs to implement an authentication provider and a certificate validator.

所有接口都有一个请求执行操作的函数,该函数接收回调对象作为参数。All interfaces have a function requesting you to take action, which receives a callback object as parameter. 使用此对象,可以轻松实现请求的异步处理。Using this object, you can easily implement asynchronous handling of the request. 保留对此对象的引用,并在异步操作完成时调用完成函数。Keep a reference to this object, and call the completion function when the asynchronous action is complete. 可以从任何线程调用完成函数。The completion function may be called from any thread.

提示

可使用 c + +/WinRT. 轻松实现 WinRT 接口Implementing WinRT interfaces can easily be done using C++/WinRT. 带有 c + +/WinRT 的作者 api一章将对此进行详细介绍。The Author APIs with C++/WinRT chapter describes this in detail.

重要

build\native\include\HolographicAppRemoting\Microsoft.Holographic.AppRemoting.idlNuGet 包中的包含有关与安全连接相关的 API 的详细文档。The build\native\include\HolographicAppRemoting\Microsoft.Holographic.AppRemoting.idl inside the NuGet package contains detailed documentation for the API related to secure connections.

实现证书提供程序Implementing a certificate provider

证书提供程序为服务器应用程序提供要使用的证书。Certificate providers supply the server application with the certificate to use. 实现由两部分组成:The implementation consists of two parts:

  1. 用于实现接口的证书对象 ICertificateA certificate object, which implements the ICertificate interface:

    • GetCertificatePfx() 应返回证书存储的二进制内容 PKCS#12GetCertificatePfx() should return the binary contents of a PKCS#12 certificate store. .pfx文件包含 PKCS#12 数据,因此可直接在此处使用其内容。A .pfx file contains PKCS#12 data, so its contents can be used directly here.
    • GetSubjectName() 应返回标识要使用的证书的友好名称。GetSubjectName() should return the friendly name that identifies the certificate to use. 如果没有为证书指定友好名称,则此函数应返回证书的使用者名称。If no friendly name is assigned to the certificate, this function should return the certificate's subject name.
    • GetPfxPassword() 应返回 (打开证书存储区所需的密码,如果) 不需要密码,则返回空字符串。GetPfxPassword() should return the password required to open the certificate store (or an empty string if no password is required).
  2. 用于实现接口的证书提供程序 ICertificateProviderA certificate provider implementing the ICertificateProvider interface:

    • GetCertificate() 应构造一个证书对象并通过 CertificateReceived() 在回调对象上调用来返回该对象。GetCertificate() should construct a certificate object and return it by calling CertificateReceived() on the callback object.

实现身份验证验证程序Implementing an authentication validator

身份验证验证程序接收客户端发送的身份验证令牌,并使用验证结果回复。Authentication validators receive the authentication token sent by the client, and answer back with the validation result.

实现该 IAuthenticationReceiver 接口,如下所示:Implement the IAuthenticationReceiver interface as follows:

  • GetRealm() 应返回 (在远程处理连接握手期间使用的 HTTP 领域的身份验证领域的名称) 。GetRealm() should return the name of the authentication realm (an HTTP realm used during the remoting connection handshake).
  • ValidateToken() 应该验证客户端身份验证令牌,并 ValidationCompleted() 通过验证结果对回调对象调用。ValidateToken() should validate the client authentication token and call ValidationCompleted() on the callback object with the validation result.

实现身份验证提供程序Implementing an authentication provider

身份验证提供程序生成或检索要发送到服务器的身份验证令牌。Authentication providers generate or retrieve the authentication token to be sent to the server.

实现该 IAuthenticationProvider 接口,如下所示:Implement the IAuthenticationProvider interface as follows:

  • GetToken() 应生成或检索要发送的身份验证令牌。GetToken() should generate or retrieve the authentication token to be sent. 标记准备就绪后,调用 TokenReceived() 回调对象的方法。Once the token is ready, call the TokenReceived() method on the callback object.

实现证书验证程序Implementing a certificate validator

证书验证程序接收服务器发送的证书链,并确定服务器是否可信任。Certificate validators receive the certificate chain sent by the server and determine whether the server can be trusted.

若要验证证书,可以使用基础系统的验证逻辑。To validate certificates, you can use the validation logic of the underlying system. 此系统验证可以支持您自己的验证逻辑,也可以全部替换。This system validation can either support your own validation logic, or replace it altogether. 如果在请求安全连接时未传递自己的证书验证程序,系统将自动使用系统验证。If you don't pass your own certificate validator when requesting a secure connection, system validation will be used automatically.

在 Windows 上,系统验证将检查:On Windows, the system validation will check for:

  • 证书链的完整性:证书构成以受信任的根证书结尾的一致链Integrity of the certificate chain: the certificates form a consistent chain that ends at a trusted root certificate
  • 证书有效期:服务器的证书在其有效期内,并为服务器身份验证颁发Certificate validity: the server's certificate is within its validity timespan, and is issued for server authentication
  • 吊销:证书未被吊销Revocation: The certificate hasn't been revoked
  • 名称匹配:服务器的主机名与颁发证书的主机名之一匹配Name match: The host name of the server matches one of the host names the certificate was issued for

实现该 ICertificateValidator 接口,如下所示:Implement the ICertificateValidator interface as follows:

  • PerformSystemValidation()``true如果应执行上述系统验证,应返回。PerformSystemValidation() should return true if a system validation as described above should be performed. 在这种情况下,系统验证结果将作为输入传递给 ValidateCertificate() 方法。In this case, the system validation result is passed as an input to the ValidateCertificate() method.
  • ValidateCertificate() 应该验证证书链,然后 CertificateValidated() 在传递的回调上调用最终验证结果。ValidateCertificate() should validate the certificate chain and then call CertificateValidated() on the passed callback with the final validation result. 此方法接受证书链、与之建立连接的服务器的名称,以及是否应强制执行吊销检查。This method accepts the certificate chain, the name of the server the connection is being established with, and whether a revocation check should be forced. 如果证书链包含多个证书,则第一个证书是使用者证书。If the certificate chain contains multiple certificates, the first one is the subject certificate.

备注

如果用例需要不同形式的验证 (参阅) 上方的证书用例 #1,请完全绕过系统验证。If your use case requires a different form of validation (see certificate use case #1 above), bypass system validation entirely. 相反,请使用任何可处理 DER 编码的 x.509 证书的 API 或库来解码证书链,并执行用例所需的检查。Instead, use any API or library that can handle DER-encoded X.509 certificates to decode the certificate chain and perform the checks needed for your use case.

使用 OpenXR API 的安全连接Secure connection using the OpenXR API

使用 OPENXR API 时,与连接相关的所有安全 api 都作为 OpenXR 扩展的一部分提供 XR_MSFT_holographic_remotingWhen using the OpenXR API all secure connection-related API is available as part of the XR_MSFT_holographic_remoting OpenXR extension.

重要

若要了解全息远程处理 OpenXR 扩展 API,请查看可在全息远程处理示例 github 存储库中找到的规范To learn about the Holographic Remoting OpenXR extension API, check out the specification which can be found in the Holographic Remoting samples github repository.

使用 OpenXR 扩展进行安全连接的关键元素 XR_MSFT_holographic_remoting 是以下回调。The key elements for secure connection using the XR_MSFT_holographic_remoting OpenXR extension are the following callbacks.

  • xrRemotingRequestAuthenticationTokenCallbackMSFT、生成或检索要发送的身份验证令牌。xrRemotingRequestAuthenticationTokenCallbackMSFT, generates, or retrieves the authentication token to be sent.
  • xrRemotingValidateServerCertificateCallbackMSFT,验证证书链。xrRemotingValidateServerCertificateCallbackMSFT, validates the certificate chain.
  • xrRemotingValidateAuthenticationTokenCallbackMSFT验证客户端身份验证令牌。xrRemotingValidateAuthenticationTokenCallbackMSFT, validates the client authentication token.
  • xrRemotingRequestServerCertificateCallbackMSFT,为服务器应用程序提供要使用的证书。xrRemotingRequestServerCertificateCallbackMSFT, supply the server application with the certificate to use.

可以通过和向远程处理 OpenXR 运行时提供这些 xrRemotingSetSecureConnectionClientCallbacksMSFT 回调 xrRemotingSetSecureConnectionServerCallbacksMSFTThese callbacks can be provided to the remoting OpenXR runtime via xrRemotingSetSecureConnectionClientCallbacksMSFT and xrRemotingSetSecureConnectionServerCallbacksMSFT. 此外,需要通过结构或结构上的 secureConnection 参数启用安全连接, XrRemotingConnectInfoMSFT XrRemotingListenInfoMSFT 具体取决于你使用 xrRemotingConnectMSFT 的是还是 xrRemotingListenMSFTAdditionally, the secure connection needs to be enabled via the secureConnection parameter on the XrRemotingConnectInfoMSFT structure or the XrRemotingListenInfoMSFT structure depending on whether you're using xrRemotingConnectMSFT or xrRemotingListenMSFT.

此 API 类似于 实现全息远程处理安全中所述的基于 IDL 的 api。This API is similar to the IDL-based API described in Implementing holographic remoting security. 但是,你应该提供回调实现,而不是实现接口。However, instead of implementing interfaces, you're supposed to provide callback implementations. 可在 OpenXR 示例应用中找到详细的示例。You can find a detailed example in the OpenXR sample app.

另请参阅See Also